Securing Proxmox and SSH using Fail2Ban
Out of the box Proxmox does not have any Brute Force protection in the same way as some other virtualisation technologies do. For example when using VMWare EXSi it will block the SSH port by default and when open add some strict rules on access.
As such, for our proxmox servers we wanted to increase security on the two open ports: SSH port 80 & Web Portal port 8006 (The Proxmox Web Management Portal).
To do this we used fail2ban. On proxmox fail2ban is really easy to install:
apt-get install fail2ban
Once this is installed we need to add our config to: /etc/fail2ban/jail.local
Within this we place our config for blocking Brute Force attacks on the two service ports.
[sshd] port = ssh logpath = %(sshd_log)s enabled = true [proxmox] enabled = true port = https,http,8006 filter = proxmox logpath = /var/log/daemon.log maxretry = 3 # 7 days bantime = 604800
Next we need to create the file: /etc/fail2ban/filter.d/proxmox.conf
In this file we add:
[Definition] failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* ignoreregex =
Once done we need to restart fail2ban
systemctl restart fail2ban
This now should mean your proxmox host is more secure with the IP being blacklisted if the password is entered wrong 3 times. Our config is fairly strict by blocking it for 7 days but you can adjust this to your own requirements. For example:
# Bad Time 1hr bantime = 3600 # Bad Time 24hr bantime = 86400
If you want to see if your ban is working take a look at:
fail2ban-client status sshd
fail2ban-client status proxmox
We hope this has been helpful, and if you wish us to expand on this, please leave your requests in the comments.
Author: Paul Hughes CTO UKHost4u