Proxmox Datacentar Firewall and VM fail2ban

[sojic]

I would like to:

Create Security Group "Blacklist" on Datacenter
Apply the blacklist security group to few (or all) VM.
on each VM I have Fail2ban. Once any VM ban some IP, I want to add it to datacenter blacklist group.

Any how to? I hope the simpliest method is to execute ssh command on the host. Probably there is some solution.

 

[bbgeek17]

This is really out of scope of what PVE as type 1 Hypervisor is indented to do.
You should plug this into google "centralized fail2ban" and pick a solution that works for you.

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[LnxBil]

I just typed ... "sure, it works" ... but in the end a centralized fail2ban as @bbgeek17 described is really the way to go. You need to take care of so many things an reinvent the fail2ban wheel.

If I would be in the need of such a thing, I'd go with an ingress firewall that has access to all logfiles from all servers and monitors them with fail2ban.

 

[guletz]

If I would be in the need of such a thing, I'd go with an ingress firewall that has access to all logfiles from all servers and monitors them with fail2ban.

.... I would use a border router in front of my PMX cluster, and for any any fail2ban instance/VM/CT I would use a custom command via ssh who will send the offending IPs on the border router Firewall black list.

But these days, fail2ban is not so efficient like 4-5 years ago. Now most of the time I see very well organized reconessance activities(testing your IT environment) from distributed IP(CC). And this attackers are very flexibles and with very good capabilities and knowledge.

You block few of them let say at 5 try on port xxx/5 min, and you change to 3 trys/5min in 15-30 min the CC will adjust accordingly to your changes.

Is like game play between a cat and a mouse.... and we are the mouse, unfortunately.

In my own opinion, for a small-mid size environment, it is better to do like this( I do not excluded fail2ban 100 %)

- run any admin services on non-standard port if is possible(ssh, Proxmox interface, and so on)
- block any offended IP on your border router, for ANY new connection for such standard ports(adding them on a black list if your router can do this, if not, buy a new one who can do - around 100 euro) like ssh, telnet, MySQL, mssql, rdp, and so on
- use various public black lists(spamhouse..) with good reputation
- block traceroute on border router
- permit only some icmp type from Internet(like time exceed, transmit too fast)
- enable strict routing(so no loose routing)
- use something like geoip accordingly to your country clients
- restrict access from Internet to yours admin ports(ssh, and so on) only from fixed IP, or from a ddns host name
- create access hours ACL if it is ok for your case(for example I do not need ssh / PMX access during 02.00-07.00)
- limit max nr of new connections /time and / IP
- limit max nr. of SYN but not new connection from the same IP/time

- use some kind of HIDS/NIDS

Most of this roule must be adjusted according to your case

- from time to time spent a hour or more with tcp dump = so you can know your enemy(the black cat..), you will find many interesting things.

Each of all this rules alone will not be so useful, but all of them combine will make a difference - lowering attack surface of your IT enviroment

Important note: your border router capabilities are very important


Good luck / Bafta !