[SOLVED] Missing "auth.log" in Proxmox VE 8.0 - fail2ban sshd

AlexDev

New Member
Jul 29, 2022
5
0
1
Is anybody know why in Proxmox VE 8.0 missing the file "/var/log/auth.log" ?
I try to configure fail2ban with sshd jail and fail2ban crashed after restart because "auth.log" file is missing.

Best regards,
Aleksandar Grigorov
 
OK!
Actual way to make fail2ban work for sshd in Debian 12:

After installing fail2ban in "/etc/fail2ban/jail.d/" we must have file "defaults-debian.conf" with content:
Code:
[sshd]
enabled = true

Old way to make sshd jail config was when remove file "default.conf ot defaults-debian.conf" and create file sshd.conf with content:
Code:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
banaction = iptables-allports
bantime = 3600
ignoreip = 127.0.0.1/8 your_ip_address

The new way that work for me is with change "logpath":
From:
Code:
logpath = /var/log/auth.log
To:
Code:
logpath = journal
and add line:
Code:
backend = systemd
under "logpath = journal"


The whole configuration looks like this:
Code:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = journal
backend = systemd
maxretry = 2
banaction = iptables-allports
bantime = 3600
ignoreip = 127.0.0.1/8 your_ip_address


Good luck to all!
 
I'm not sure that you read all. Maybe it's not the best way, but I personally separate jails in different files in "jail.d" folder. Read again that way I write and do it step by step. In my case, this is Debian 12 from the official Proxmox iso. After completing all the steps I described above, restart fail2ban. I recommend you to set "bantime =" to 180seconds "bantime = 180" for testing. If your IP is in "ignoreip =" you can not ban yourself.
 
I'm not sure that you read all. Maybe it's not the best way, but I personally separate jails in different files in "jail.d" folder. Read again that way I write and do it step by step. In my case, this is Debian 12 from the official Proxmox iso. After completing all the steps I described above, restart fail2ban. I recommend you to set "bantime =" to 180seconds "bantime = 180" for testing. If your IP is in "ignoreip =" you can not ban yourself.
So, even this configuration is no more valid?
 
So, even this configuration is no more valid?
I believe when backend=journal, logpath is redundant.
Regardless of whether this is set globally in jail.conf or in the bundled jail definitions, you can override it for individual jails. So, if ssh is not being logged to a file, you could set backend=journal for the sshd jail.
Also, the .local configuration overlay applies throughout. So you don't need to modify any package files. Just create all your customisations in .local files be that jail.local, filters, actions etc.
 
Last edited:
  • Like
Reactions: kamzata

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!