Securing Proxmox and SSH using Fail2Ban — UKHost4U

Out of the box Proxmox does not have any Brute Force protection in the same way as some other virtualisation technologies do. For example when using VMWare EXSi it will block the SSH port by default and when open add some strict rules on access.

As such, for our proxmox servers we wanted to increase security on the two open ports: SSH port 80 & Web Portal port 8006 (The Proxmox Web Management Portal).

To do this we used fail2ban. On proxmox fail2ban is really easy to install:

apt-get install fail2ban

Once this is installed we need to add our config to: /etc/fail2ban/jail.local

nano /etc/fail2ban/jail.local

Within this we place our config for blocking Brute Force attacks on the two service ports.

[sshd] port = ssh logpath = %(sshd_log)s enabled = true [proxmox] enabled = true port = https,http,8006 filter = proxmox logpath = /var/log/daemon.log maxretry = 3 # 7 days bantime = 604800

Next we need to create the file: /etc/fail2ban/filter.d/proxmox.conf

nano /etc/fail2ban/filter.d/proxmox.conf

In this file we add:

[Definition] failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* ignoreregex =

Once done we need to restart fail2ban

systemctl restart fail2ban

This now should mean your proxmox host is more secure with the IP being blacklisted if the password is entered wrong 3 times. Our config is fairly strict by blocking it for 7 days but you can adjust this to your own requirements. For example:

# Bad Time 1hr bantime = 3600 # Bad Time 24hr bantime = 86400

If you want to see if your ban is working take a look at:

fail2ban-client status sshd

or

fail2ban-client status proxmox

We hope this has been helpful and if you wish us to expand on this, please leave your requests in the comments.

Author: Paul Hughes CTO UKHost4u

Originally published at https://www.ukhost4u.com on June 18, 2020.