How To implement Fail2Ban on Host

jvalla

New Member
Feb 27, 2010
27
1
1
I have no clue how to submit to the wiki so I will post what i did to get this running.

My objective was to implement Fail2Ban on the Proxmox host to monitor and ban IP addresses that make brute force attempts to gain access to the web interface or ssh command shell. I've successfully tested this on my pilot server and it seems to be running well.

Steps.

Update repositories

Code:
apt-get update
Install Fail2Ban

Code:
apt-get install fail2ban
Now we want to make copies of config files for backup purposes

Code:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
Now we want to create the fail2ban filter file which tells what to look for in the logs in order to trigger the ban

Code:
nano /etc/fail2ban/filter.d/proxmox.conf
copy and paste code below into proxmox.conf

Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 569 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = ^<HOST> -.*POST.*/1\.1.* 403 1383

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
Hit CTRL X then hit Y (if prompted) to save/overwrite proxmox.conf

Now we want to edit the jail.local (not jail.conf) file to specify our proxmox settings

Code:
nano /etc/fail2ban/jail.local
scroll down until you find the Jails section and locate
this section

Code:
[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6
Copy and paste the code below directly above [ssh]

Code:
[proxmox]

enabled = true
port    = https,http
filter  = proxmox
logpath  = /var/log/apache*/access.log
maxretry = 3
It shoud look like this

Code:
[proxmox]

enabled = true
port    = https,http
filter  = proxmox
logpath  = /var/log/apache*/access.log
maxretry = 3

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6
Hit CTRL X then hit Y (if prompted) to save/overwrite jail.local

Now want to restart Fail2Ban

Code:
/etc/init.d/fail2ban restart
Now we want to test the new rules work

Code:
/usr/bin/fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/proxmox.conf
This above command should tell you if your filter is parsing the log files correctly and returning results. This is how mine looks after a few failed login attempts
(ip addresses masked)

Code:
Running tests
=============

Use regex file : /etc/fail2ban/filter.d/proxmox.conf
Use log file   : /var/log/apache2/access.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^<HOST> -.*POST.*/1\.1.* 403 1383
|
`- Number of matches:
   [1] 21 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    xxx.xxx.xxx.xxx (Fri Mar 19 09:54:42 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 09:54:47 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 09:54:53 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:00:25 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:00:31 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:00:36 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:08:31 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:14:08 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:14:13 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:14:44 2010)

Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
164 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601

Success, the total number of match is 21

However, look at the above section 'Running tests' which could contain important
information.
Put fail2ban to the test by logging in with a made up username and password to the Proxmox web interface. After the 3rd incorrect login you should no longer be able to get to the page. By default the IP address will be banned for 10 minutes.

Now you will want to remove the ban. Go back into the command line and type

Code:
iptables -L fail2ban-proxmox -n -v --line-numbers
Which should give you numbered lines of IP addresses banned by proxmox which looks like this

Code:
proxmox:/etc/fail2ban# iptables -L fail2ban-proxmox -n -v --line-numbers
Chain fail2ban-proxmox (1 references)
num   pkts bytes target     prot opt in     out     source               destina                                  tion
1        8   389 DROP       all  --  *      *       192.168.1.11         0.0.0.0                                  /0
2       87 13396 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0                                  /0
To unban an IP type in

Code:
iptables -D fail2ban-proxmox 1
Where the number 1 represents the line number from the prior command.
You should now have access to the proxmox web interface again.

Fail2Ban is working correctly!

To change the amount of time an IP address is banned
Code:
nano /etc/fail2ban/jail.local
Look for
Code:
bantime  = 600
and change that to the number of seconds you would like for IP addresses to be banned

To add your IP address to the ignore list
Code:
nano /etc/fail2ban/jail.local
Look for
Code:
ignoreip = 127.0.0.1
and add your IP address.


I will be adding more to this as I test. Please let me know if and how this work out for you.
 
Last edited:

jvalla

New Member
Feb 27, 2010
27
1
1
I made a couple of changes and ran through the setup on a clean install of proxmox. Works like a charm.
 

raid

Member
Jul 25, 2010
102
0
16
Italy
Is there any way for fail2ban to monitor the VM logs also?
Would be fine installing it into the host and monitoring the VM too and not only for SSH.
Does anyone know if it can monitor multiple log path and files at once?
Maybe used in conjunction with shorewall behind a NAT...
 

jva1601

Active Member
Oct 19, 2010
61
1
28
I use fail2ban to protect my open vz containers now I can use it to protect my proxmox host. Thank you very much for the clear thorough tutorial!
 

proxymoxy

New Member
Jun 9, 2011
28
0
1
Haven't tried it yet (still waiting for proxmox 2.0 and hopefully doesn't take as long as centos :)

But the guide looks great and I appreciate it! Thanks1
 

udi

Member
Apr 1, 2011
73
0
6
hi,

this is your regex:

failregex = ^<HOST> -.*POST.*/1\.1.* 403 1383

but in my logfile the number after 403 is 1395.
i decided to remove 1383 from the end of regex (better than change it to 1395).
now my regex is: ^<HOST> -.*POST.*/1\.1.* 403

is it ok this way?

thank you
u.
 

Daraiko

New Member
Mar 2, 2012
22
0
1
37
Danmark
Hi,

I have tried this in 2.x, but it does not seems to work.. i have changed the ports.
Is there anyone who has have implemented this successfully in proxmox 2.x ??
 

xcooling

New Member
May 24, 2012
28
0
1
www.eXtremeSHOK.com
the webgui in 2.0+ does NOT log failed login attempts to /var/log/apache2/access.log , this is why the above fail2ban no longer works.

I have rewritten the scripts to work with proxmox2, and will be published once they pass QA
 
Last edited:

TheReelaatiiv

Member
Mar 29, 2012
89
0
6
Proxmox VE 2.0+ logs authentication-attempts to /var/log/syslog and of course to /var/log/daemon.log
Code:
Jun 16 15:03:12 gw2 pvedaemon[425416]: authentication failure; rhost=<myip> user=nonexistuser@pam msg=no such user ('nonexistuser@pam')
Jun 16 15:03:28 gw2 pvedaemon[260092]: authentication failure; rhost=<myip> user=root@pam msg=Authentication failure
 
Last edited:

emanuelebruno

Active Member
May 1, 2012
118
0
36
Catania
emanuelebruno.it
according to this web site http://extremeshok.com/blog/debian/...stallation-fail2ban-sysctl-hosts-ip-spoofing/ , I have met this message after digiting "fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox2.conf" command:

***
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/proxmox2.conf
Use log file : /var/log/daemon.log


Results
=======

Failregex
|- Regular expressions:
| [1] pvedaemon\[.*authentication failure; rhost=<HOST> user=.*msg=.*
|
`- Number of matches:
[1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.
***
I have copied exactly as in the web site.... anyone met this error?
Sincerely,
Emanuele Bruno.
 

chrisduncansb

New Member
Aug 8, 2012
1
0
1
So I implemented the above step by step in my Proxmox 1.7 install. The SSH fail2ban is working, but http/https doesn't seem to work. I can continue to attempt to log in after 3 failed attempts, and the

I can see the log in attempts in the apache2/access.log and the summary under running tests is blank.

Any ideas what could be wrong?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!