Securing Proxmox and SSH using Fail2Ban


Installing Percona XtraDB 5 Cluster on Centos 7

Enhancing Security on Proxmox Servers: Brute Force Protection

By default, Proxmox does not include built-in brute force protection, unlike some other virtualization platforms. For example, VMware ESXi comes with a default security measure that automatically blocks the SSH port and enforces strict access rules when it’s open. This feature significantly reduces the risk of unauthorized access and brute force attacks.

In contrast, Proxmox requires manual configuration to strengthen security, especially for two critical open ports: SSH (port 22) and the Web Portal (port 8006), which provides access to the Proxmox Web Management Portal. Given the sensitivity of these access points, enhancing security measures is crucial to protect your infrastructure.

To bolster the protection of your Proxmox servers, consider implementing tools like Fail2Ban or IPTables, which can monitor failed login attempts and block suspicious IP addresses automatically. Furthermore, employing strong password policies, disabling root login, and configuring two-factor authentication (2FA) can significantly reduce vulnerability to brute force attacks.

For more detailed steps on securing Proxmox, explore Proxmox documentation and UKHost4u’s security resources. Additionally, for a broader perspective on virtualization security best practices, you may find the VMware Security Blog to be a valuable resource.

By proactively securing these access points, you can greatly reduce the chances of unauthorized access to your Proxmox infrastructure.

To do this we used fail2ban. On proxmox fail2ban is really easy to install:

apt-get install fail2ban

Once this is installed we need to add our config to: /etc/fail2ban/jail.local

nano/etc/fail2ban/jail.local

Within this we place our config for blocking Brute Force attacks on the two service ports.

[sshd]
port    = ssh
logpath = %(sshd_log)s
enabled = true

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 7 days
bantime = 604800

Next we need to create the file: /etc/fail2ban/filter.d/proxmox.conf

nano/etc/fail2ban/filter.d/proxmox.conf

In this file we add:

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

Once done we need to restart fail2ban

systemctl restart fail2ban

This now should mean your proxmox host is more secure with the IP being blacklisted if the password is entered wrong 3 times. Our config is fairly strict by blocking it for 7 days but you can adjust this to your own requirements. For example:

# Bad Time 1hr
bantime = 3600 
# Bad Time 24hr
bantime = 86400

If you want to see if your ban is working take a look at:

fail2ban-client status sshd

or

fail2ban-client status proxmox

We hope this guide has been helpful in enhancing the security of your Proxmox servers. If you have any specific requests or need further information, please feel free to leave your suggestions and questions in the comments section below. Your feedback is invaluable and helps us improve and expand our content to better serve your needs.

For additional assistance, don’t hesitate to contact UKHost4u via live chat, or you can open a support ticket through our ticket system.

Additionally, explore more resources on virtualization security by visiting Proxmox resources page or the official Proxmox documentation.

About Paul Hughes

With over 20 years experience in the web hosting industry I have a passion for technology and security solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *