Securing Proxmox and SSH using Fail2Ban
Certainly! Here’s an improved and expanded version of your text with SEO enhancements and both inbound and outbound links added:
Enhancing Security on Proxmox Servers: Brute Force Protection
Out of the box, Proxmox does not include built-in Brute Force protection, unlike some other virtualization technologies. For instance, VMware ESXi automatically blocks the SSH port by default and enforces strict access rules when it is open. This default security measure helps to mitigate the risk of unauthorized access and brute force attacks.
Given this, we recognized the need to enhance security on our Proxmox servers, particularly for the two critical open ports: SSH port 80 and the Web Portal port 8006, which is the Proxmox Web Management Portal. By implementing additional security measures, we can protect our infrastructure more effectively. For more detailed steps on securing Proxmox. Additionally, for a broader perspective on virtualization security best practices, you might find the VMware Security Blog useful.
To do this we used fail2ban. On proxmox fail2ban is really easy to install:
apt-get install fail2ban
Once this is installed we need to add our config to: /etc/fail2ban/jail.local
nano/etc/fail2ban/jail.local
Within this we place our config for blocking Brute Force attacks on the two service ports.
[sshd] port = ssh logpath = %(sshd_log)s enabled = true [proxmox] enabled = true port = https,http,8006 filter = proxmox logpath = /var/log/daemon.log maxretry = 3 # 7 days bantime = 604800
Next we need to create the file: /etc/fail2ban/filter.d/proxmox.conf
nano/etc/fail2ban/filter.d/proxmox.conf
In this file we add:
[Definition] failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* ignoreregex =
Once done we need to restart fail2ban
systemctl restart fail2ban
This now should mean your proxmox host is more secure with the IP being blacklisted if the password is entered wrong 3 times. Our config is fairly strict by blocking it for 7 days but you can adjust this to your own requirements. For example:
# Bad Time 1hr bantime = 3600 # Bad Time 24hr bantime = 86400
If you want to see if your ban is working take a look at:
fail2ban-client status sshd
or
fail2ban-client status proxmox
We hope this guide has been helpful in enhancing the security of your Proxmox servers. If you have any specific requests or need further information, please leave your suggestions and questions in the comments section below. Your feedback helps us to improve and expand our content to better serve your needs.
For further assistance, please contact UKHost4u or open a support ticket with our team. Additionally, you can explore more resources on virtualization security by visiting our Proxmox resources page or the official Proxmox documentation.
Author: Paul Hughes, CTO UKHost4u
About Paul Hughes
With over 20 years experience in the web hosting industry I have a passion for technology and security solutions.
