|
1 | 1 | --- |
2 | | -title: "Secure Proxmox VE with fail2ban" |
| 2 | +title: “Secure Proxmox VE with fail2ban” |
3 | 3 | date: 2025-02-18 |
4 | | -descripton: "In this tutorial, learn how to secure your Proxmox VE instance based on Debian 12 with fail2ban against brute force attacks." |
| 4 | +descripton: “Learn how to secure your Debian 12-based Proxmox VE instance against brute force attacks with fail2ban in this tutorial.” |
5 | 5 | hero: /images/posts/proxmox-fail2ban/proxmox_und_fail2ban.png |
6 | | -draft: true |
7 | 6 | menu: |
8 | 7 | sidebar: |
9 | | - name: Proxmox with fail2ban |
| 8 | + name: Proxmox and fail2ban |
10 | 9 | identifier: proxmox-fail2ban |
11 | 10 | parent: linux |
12 | 11 | weight: 10 |
13 | | -tags: ["linux", "security", "proxmox", "video"] |
14 | | -categories: ["Tutorials", "Linux", "Video", "Security"] |
| 12 | +tags: [“linux”, “security”, “proxmox”, “video”] |
| 13 | +categories: [“Tutorials”, “Linux”, ‘Video’, “Security”] |
15 | 14 | --- |
16 | | -### Complete Post Coming Soon... |
| 15 | +## Secure Proxmox VE based on Debian 12 with fail2ban |
| 16 | +One way to secure a public Proxmox server against brute force attacks is to use the tool ‘fail2ban’. |
| 17 | +In this short tutorial, I will show you how to use fail2ban to secure access to the ‘SSH’ service and port ‘8006’ of the dashboard. |
| 18 | +Starting point |
| 19 | +In this scenario, we are dealing with a Proxmox server that is hosted as a dedicated server at Hetzner and can be reached via the public Internet using an IPv4 and IPv6 address. |
| 20 | +In general, the use of fail2ban should only be considered as part of a set of security measures to secure your server. Feel free to consult further security measures here on my blog. |
| 21 | + |
| 22 | +> **Voucher** |
| 23 | +> |
| 24 | +> If you would also like to operate a VPS/root/dedicated server, I can offer you a 20 euro voucher. To use this voucher, click on the link below. |
| 25 | +> The 20 euro voucher can only be used for new registrations on the Hetzner website! |
| 26 | +> |
| 27 | +> **Link to the voucher: <https://hetzner.cloud/?ref=OBFauh7A1Ru8>** |
| 28 | +--- |
| 29 | +## Installing fail2ban on Debian 12 |
| 30 | + |
| 31 | +> **IMPORTANT NOTE!** |
| 32 | +> |
| 33 | +> Please note that all commands executed below require elevated privileges! |
| 34 | +> |
| 35 | +> You can obtain these rights by executing the following command once for the existing SSH session: |
| 36 | +> |
| 37 | +> `sudo -s` |
| 38 | +--- |
| 39 | +Since Proxmox VE is based on the Debian distribution, fail2ban is installed in the same way as a classic Debian installation. |
| 40 | +There are two ways to set up fail2ban on the Proxmox system. |
| 41 | +- **Setup via the Proxmox dashboard.** |
| 42 | + |
| 43 | +To set up via the Proxmox dashboard, click on the Proxmox node, select “Shell,” and then enter the appropriate configuration information. |
| 44 | + |
| 45 | +- **Setup via terminal using an SSH connection to the Proxmox server.** |
| 46 | + |
| 47 | +In my example, we will connect to the Proxmox server via a terminal using SSH. The advantage of this is greater convenience, e.g. when using copy & paste. |
| 48 | +To set up via the Proxmox dashboard, click on the Proxmox node, select ‘Shell’ and then enter the relevant information for the configuration. |
| 49 | + |
| 50 | +{{< img src="/images/posts/proxmox-fail2ban/dashboard-proxmox.png" >}} |
| 51 | + |
| 52 | +### SSH connection via terminal with the Proxmox server |
| 53 | +First, we establish a connection via SSH with the Proxmox server. Depending on your operating system, you can use a terminal window, Putty, or similar. |
| 54 | +```bash |
| 55 | +# Establish SSH connection |
| 56 | +ssh root@<IP address of Proxmox server> |
| 57 | +``` |
| 58 | +### Update the operating system and install fail2ban |
| 59 | +```bash |
| 60 | +# Update the system |
| 61 | +sudo apt update && apt upgrade -y |
| 62 | +# Install fail2ban |
| 63 | +sudo apt install fail2ban |
| 64 | +``` |
| 65 | +### Adjust the fail2ban configuration for Proxmox VE |
| 66 | +As described in the introduction to this tutorial, we want to protect the standard SSH port (22) and port 8006 for the Proxmox VE dashboard interface from brute force attacks. |
| 67 | +First, we create a local jail config file in the fail2ban directory, in which we then store the adjustments for our project. |
| 68 | +```bash |
| 69 | +# First, we will |
| 70 | +# call up the fail2ban directory, where the future and other configuration files are located |
| 71 | +cd /etc/fail2ban |
| 72 | +# Create the configuration file for fail2ban |
| 73 | +nano jail.conf |
| 74 | +``` |
| 75 | +In the next step, we add the configuration for securing the SSH connection and securing **port 8006**. |
| 76 | + |
| 77 | +```bash |
| 78 | +# Configuration for fail2ban – securing SSH (standard port 22) and Proxmox dashboard access (port 8006) |
| 79 | +# Default settings for fail2ban |
| 80 | + |
| 81 | +[DEFAULT] |
| 82 | +allowipv6 = auto |
| 83 | +bantime = 3600 |
| 84 | +backend = systemd |
| 85 | +ignoreip = 127.0.0.1/8 |
| 86 | + |
| 87 | +# Config for SSH |
| 88 | + |
| 89 | +[sshd] |
| 90 | +mode = aggressive |
| 91 | +port = ssh |
| 92 | +logpath = %(sshd_log)s |
| 93 | +banaction = nftables-multiport |
| 94 | +banaction_allports = nftables-allports |
| 95 | +backend = systemd |
| 96 | +enabled = true |
| 97 | +maxretry = 2 |
| 98 | +findtime = 3600 |
| 99 | +bantime = 3h |
| 100 | + |
| 101 | +# Config for Proxmox |
| 102 | + |
| 103 | +[proxmox] |
| 104 | +enabled = true |
| 105 | +port = https,http,8006 |
| 106 | +filter = proxmox |
| 107 | +backend = systemd |
| 108 | +maxretry = 3 |
| 109 | +findtime = 3600 |
| 110 | +bantime = 3h |
| 111 | +``` |
| 112 | +Now save the configuration file ‘jail-local’ with CTRL + O and close the Nano editor with CTRL + X. |
| 113 | +> **Ignore IP** |
| 114 | +> |
| 115 | +> Under ‘**ignoreip**’, you can add IP addresses and subnets as exceptions to prevent yourself from being locked out, for example. |
| 116 | +
|
| 117 | +## Create Proxmox filter for fail2ban |
| 118 | +A filter configuration for SSH is included in fail2ban by default. We first need to create the filter configuration for Proxmox. |
| 119 | +To do this, we switch to the directory ‘/etc/fail2ban/filter.d’ and create the filter configuration for Proxmox with ‘nano proxmox.conf’. |
| 120 | +```bash |
| 121 | +# Filter configuration proxmox |
| 122 | +[Definition] |
| 123 | +failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* |
| 124 | +ignoreregex = |
| 125 | +journalmatch = _SYSTEMD_UNIT=pvedaemon.service |
| 126 | +``` |
| 127 | +Save this file with CTRL + O and exit the editor with CTRL + X. |
| 128 | +### Start and check the fail2ban service |
| 129 | +Now that we have created the necessary configuration files, we can proceed and start fail2ban on the system. |
| 130 | +```bash |
| 131 | +# Enable fail2ban autostart, start service |
| 132 | +systemctl enable fail2ban |
| 133 | +systemctl start fail2ban |
| 134 | +# Check fail2ban status |
| 135 | +systemctl status fail2ban |
| 136 | +``` |
| 137 | +The output should then look something like this: |
| 138 | + |
| 139 | +{{< img src="/images/posts/proxmox-fail2ban/fail2ban-service-status.png" >}} |
| 140 | + |
| 141 | +Here are a few commands that allow you to ‘control’ fail2ban. |
| 142 | + |
| 143 | +### Display the banned IP addresses |
| 144 | +```bash |
| 145 | +# Banned IP addresses for SSH |
| 146 | +fail2ban-client status sshd |
| 147 | +# Banned IP addresses for Proxmox |
| 148 | +fail2ban-client status proxmox |
| 149 | +``` |
| 150 | +Here is an example output of the banned IP addresses that have attempted to log in via SSH. |
| 151 | + |
| 152 | +{{< img src="/images/posts/proxmox-fail2ban/fail2ban-status-sshd.png" >}} |
| 153 | + |
| 154 | +### Remove banned IP address from the jail list |
| 155 | +```bash |
| 156 | +# Remove IP address from the list of banned IP addresses |
| 157 | +# For SSH |
| 158 | +fail2ban-client set sshd unbanip <IP address> |
| 159 | +# For Proxmox |
| 160 | +fail2ban-client set proxmox unbanip <IP address> |
| 161 | +``` |
| 162 | +## Conclusion – Securing Proxmox VE with fail2ban |
| 163 | +As seen in this tutorial, securing a Proxmox server against brute force attacks is actually quite trivial and, once in operation, provides very good protection. |
| 164 | +Furthermore, fail2ban can also be used to secure other services such as nginx, apache2, your own Bitwarden instance, etc., or you can create your own filter configuration as done in this tutorial for Proxmox. |
| 165 | +> **My personal opinion on fail2ban** |
| 166 | +> |
| 167 | +>For me personally, using fail2ban to secure a server instance is a clear “must” and, when used in conjunction with the security layer principle, ensures the secure operation of public services. |
| 168 | +
|
| 169 | +### Alternative to fail2ban |
| 170 | +An alternative to fail2ban is offered by the application ‘crowdsec’. Crowdsec works in principle the same as fail2ban, but is supplemented by centrally managed dynamic lists. The disadvantage here, however, is that a public connection to this service is established. |
| 171 | +Further information on ‘crowdsec’ can be found here: |
| 172 | + |
| 173 | +<https://www.crowdsec.net/> |
| 174 | + |
| 175 | +I hope this tutorial is useful for some of you and helps you secure your Proxmox server instance! |
| 176 | +Feel free to leave me feedback in the forum or here in the comments. |
| 177 | +### Further information on fail2ban |
| 178 | +<https://wiki.ubuntuusers.de/fail2ban/> |
| 179 | + |
| 180 | +<https://de.wikipedia.org/wiki/Fail2ban> |
0 commit comments