I think I have discovered the issue, or an issue at least.
Edit: This is on a debian 12.2 install with the latest community edition of proxmox.
So what I'm going to do is document what i've found, and what is working for me, in this post.
What all of these proxmox configs fail to take into account.. Is that if you use PAM for authentication, the failed logins wont be caught. The configs above only work for PVE authentication realm.
so I'll show you now my
/etc/fail2ban/jail.d/ configs
pam-generic.conf
Code:
[pam-generic]
enabled = true
backend = systemd
banaction = iptables
findtime = 7d
bantime = 6h
maxretry = 3
ignoreip = 127.0.0.1/8 ::1
proxmox.conf
Code:
[proxmox]
enabled = true
filter = proxmox
backend = systemd
banaction = iptables
maxretry = 3
findtime = 7d
bantime = 1h
*NOTE: The port = line is unnecessary (port = https,http,8006)
when using systemd backend, the auth daemon never mentions the port.
sshd.conf
Code:
[sshd]
enabled = true
filter = sshd
banaction = iptables
backend = systemd
maxretry = 3
bantime = 3600
findtime = 300
ignoreip = 127.0.0.1/8 ::1
*NOTE: You may want to consider adding your own IP to the ignoreip for both sshd and pam-generic jails as well
Edit:
*NOTE: You may also want to tweak any of the *time settings to your preference.
And here is my
/etc/fail2ban/filter.d/ relevant configs.
proxmox.conf
Code:
[INCLUDES]
before = common.conf
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
journalmatch = _SYSTEMD_UNIT=pvedaemon.service
ignoreregex =
also here is a command you can use to test the jail for systemd
fail2ban-regex systemd-journal /etc/fail2ban/filter.d/proxmox.conf
and if you like, an alias you can put in your ~/.bashrc to create a command called showbans
alias showbans="fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status"
*NOTE: If you do decide to add this to your ~/.bashrc file, please know that you then either have to do one of the following two things to "enable" it
You can type source ~/.bashrc
Or you can log out and log in again..
Running the command showbans then gives this:
But I want to stress, if PAM is an auth realm thats available, you NEED the pam-generic jail. Otherwise pam based auth failures wont get picked up by the proxmox jail. Only if they attempt to auth with PVE realm will that jail catch them.
I really hope this helps someone. It took me two full days to figure all of this out.
Celeste