Securing Proxmox and SSH using Fail2Ban


Installing Percona XtraDB 5 Cluster on Centos 7

Out of the box Proxmox does not have any Brute Force protection in the same way as some other virtualisation technologies do. For example when using VMWare EXSi it will block the SSH port by default and when open add some strict rules on access.

As such, for our proxmox servers we wanted to increase security on the two open ports: SSH port 80 & Web Portal port 8006 (The Proxmox Web Management Portal).

To do this we used fail2ban. On proxmox fail2ban is really easy to install:

apt-get install fail2ban

Once this is installed we need to add our config to: /etc/fail2ban/jail.local

nano/etc/fail2ban/jail.local

Within this we place our config for blocking Brute Force attacks on the two service ports.

[sshd]
port    = ssh
logpath = %(sshd_log)s
enabled = true

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 7 days
bantime = 604800

Next we need to create the file: /etc/fail2ban/filter.d/proxmox.conf

nano/etc/fail2ban/filter.d/proxmox.conf

In this file we add:

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

Once done we need to restart fail2ban

systemctl restart fail2ban

This now should mean your proxmox host is more secure with the IP being blacklisted if the password is entered wrong 3 times. Our config is fairly strict by blocking it for 7 days but you can adjust this to your own requirements. For example:

# Bad Time 1hr
bantime = 3600 
# Bad Time 24hr
bantime = 86400

If you want to see if your ban is working take a look at:

fail2ban-client status sshd

or

fail2ban-client status proxmox

We hope this has been helpful, and if you wish us to expand on this, please leave your requests in the comments.

Author: Paul Hughes CTO UKHost4u

About Paul Hughes

With over 20 years experience in the web hosting industry I have a passion for technology and security solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *