PVE logs and Proxy Server

[fdm91]

Hi all!

I have a Proxmox Virtual Environment installed at home in order to manage some VMs for my private network. In order to see and manage VMs remotely, I configured a virtual host on another machine through apache that redirects all traffic to proxmox.mydomain.com.
Now come some security concerns:

1. Because of the apache proxy, every failed login attempt in the /var/log/daemon.log is logged using the internal proxy IP, instead of the real client IP. I red a lot of documentation talking about using X-Forwarded-For headers and mod_remoteip, but all this kind of stuff should be configured on the pveproxy.conf that is not a "real" webserver (like apache, nginx, etc) so I really don't know where to put my hands on.

2. Also, if I have success logging the correct IPs, I'd like to mount the /var/log/ folder on the proxyserver and configure fail2ban in order to block repeatedly wrong login attempts. Now, I cannot do it because every failed attempt is logged as my proxy IP, so obviously it cannot ban itself.

Anyway, for security reasons, since day one I already disabled root login through web interface and protected my account with 2FA.

Do you have any idea? I tried to find someone with my same problem but didn't find anything. Also, I tried to ask chatgpt hoping it was "better than me" in searching online, but without any luck.

Thanks in advance for every reply to my doubts.

 

[amentofrogo]

1. Logging Correct Client IP Addresses:
To log the correct client IP addresses in Proxmox when using a reverse proxy, you can indeed use the X-Forwarded-For header. However, as you mentioned, Proxmox's pveproxy is not a traditional web server like Apache or Nginx, and it doesn't natively support configuration files like those servers. Also you can try to buy proxies in other place.

One way to address this is to use the Apache reverse proxy to add the X-Forwarded-For header before forwarding the request to the Proxmox server.

In your Apache virtual host configuration for Proxmox, you can add the following lines:

<VirtualHost *:80>
    ServerName proxmox.mydomain.com
    ProxyPass / http://your_proxmox_ip/
    ProxyPassReverse / http://your_proxmox_ip/
    RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
</VirtualHost>

Replace your_proxmox_ip with the actual IP address of your Proxmox server. This configuration should pass the client's real IP address to the Proxmox server via the X-Forwarded-For header.

2. Configuring fail2ban:
Once you've addressed the logging issue, you can configure fail2ban on your Proxmox server to block repeated failed login attempts.

Edit the fail2ban configuration file, usually located at /etc/fail2ban/jail.local, and add a section for Proxmox. For example:

[proxmox]
enabled  = true
filter   = proxmox
port     = http,https
logpath  = /var/log/daemon.log
maxretry = 3

Create a new filter configuration for Proxmox. Create a file named /etc/fail2ban/filter.d/proxmox.conf:

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.*
ignoreregex =

Restart fail2ban for the changes to take effect:

sudo systemctl restart fail2ban

This assumes that the failed login attempts in /var/log/daemon.log are logged in a format that fail2ban can parse. Adjust the failregex pattern if needed.

With these configurations, fail2ban should now be able to read the correct client IP addresses from the log files and ban IPs that exceed the defined number of login attempts.

Remember to adapt these configurations based on your specific setup and requirements. Always test changes in a safe environment before applying them to production systems.