PVE logs and Proxy Server

[fdm91]

Hi all!

I have a Proxmox Virtual Environment installed at home in order to manage some VMs for my private network. In order to see and manage VMs remotely, I configured a virtual host on another machine through apache that redirects all traffic to proxmox.mydomain.com.
Now come some security concerns:

1. Because of the apache proxy, every failed login attempt in the /var/log/daemon.log is logged using the internal proxy IP, instead of the real client IP. I red a lot of documentation talking about using X-Forwarded-For headers and mod_remoteip, but all this kind of stuff should be configured on the pveproxy.conf that is not a "real" webserver (like apache, nginx, etc) so I really don't know where to put my hands on.

2. Also, if I have success logging the correct IPs, I'd like to mount the /var/log/ folder on the proxyserver and configure fail2ban in order to block repeatedly wrong login attempts. Now, I cannot do it because every failed attempt is logged as my proxy IP, so obviously it cannot ban itself.

Anyway, for security reasons, since day one I already disabled root login through web interface and protected my account with 2FA.

Do you have any idea? I tried to find someone with my same problem but didn't find anything. Also, I tried to ask chatgpt hoping it was "better than me" in searching online, but without any luck.

Thanks in advance for every reply to my doubts.

 

[xaras2]

Hi, all
Reopen this thread
With this configuration proxmox not reveal correct ip becouse not receive Apache Packet from mod_remoteip to allow this function you will mod " /usr/share/perl5/PVE/APIServer/AnyEvent.pm" and add this:

if ($request->header('X-Forwarded-For')) {
$reqstate->{peer_host} = $request->header('X-Forwarded-For');
}

from line 1483.

With this modify proxmox reveal correct ip but with this fail2ban config not detect failed login attept and i not know the reason.

Thanks for any help

 

[CharlesIX]

Hi there.
I think I have found something that may interest you guys.
@xaras2 really got a point here, and this solved my biggest problem. To be more precise, this should be added into "authenticate_and_handle_request{}" sub, and it should look like this:

sub authenticate_and_handle_request {
    ......

    my $auth = {};

    if (my $proxy_real_ip_header = $self->{proxy_real_ip_header}) {
        if (my $proxy_real_ip_value = $request->header($proxy_real_ip_header)) {
            my $real_ip = Net::IP->new($proxy_real_ip_value);
            if (defined($real_ip) && $self->check_allowed_proxy($reqstate->{peer_host})) {
                $reqstate->{log}->{real_ip} = Net::IP::ip_compress_address(
                    $real_ip->ip(),
                    $real_ip->version(),
                );
            }
        }
    }
    
    # Add it here!
    if ($request->header('X-Forwarded-For')) {
        $reqstate->{peer_host} = $request->header('X-Forwarded-For');
    }

    if ($self->{spiceproxy}) {
        my $connect_str = $request->header('Host');
        ......

Then pvedaemon would reveal the real IP when you have failed login attempts, with ports.
Unlucky that the default fail2ban proxmox filter example can't deal with that, so you use:
failregex = pvedaemon\[.*authentication failure; rhost=<HOST>(:\d+)? user=.* msg=.*
Instead of failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*

However another problem will arise that fail2ban works by adding DROPs in iptables, and iptables will only see that all traffic are coming from your proxy IP.
My final solution is:

0. On the PVE machine, add some code in /usr/share/perl5/PVE/APIServer/AnyEvent.pm as said above.

1. On the PVE machine, use rsyslog to copy a real-time journal of pvedaemon.service as a log file, let's say it is located at /var/log/pvedaemon/pvedaemon.log. Notice rsyslog is not included in PVE 8, so you need to apt install rsyslog.

Add the following in /etc/rsyslog.d/pvedaemon.conf:

if $programname == 'pvedaemon' then /var/log/pvedaemon/pvedaemon.log
& stop

2. On the Proxy machine, use sshfs (with proper credentials configured) to mount PVE machine's /var/log/pvedaemon directory to Proxy machine's /var/log/pvedaemon (yeah I prefer the same location)

3. Set up fail2ban on the Proxy machine using "legacy option" as described in Fail2ban PVE, remember to set proxmox "backend" as "polling", "logpath" as your mounted log path on Proxy machine in /etc/fail2ban/jail.local and omit the "journalmatch" line in /etc/fail2ban/filter.d/proxmox.conf. The "failregex" also should be changed as said above.

4. You are almost done. Tweak the fail2ban settings according to your taste.