Securing Proxmox and SSH using Fail2Ban
Enhancing Security on Proxmox Servers: Brute Force Protection
By default, Proxmox does not include built-in brute force protection, unlike some other virtualization platforms. For example, VMware ESXi comes with a default security measure that automatically blocks the SSH port and enforces strict access rules when it’s open. This feature significantly reduces the risk of unauthorized access and brute force attacks.
In contrast, Proxmox requires manual configuration to strengthen security, especially for two critical open ports: SSH (port 22) and the Web Portal (port 8006), which provides access to the Proxmox Web Management Portal. Given the sensitivity of these access points, enhancing security measures is crucial to protect your infrastructure.
To bolster the protection of your Proxmox servers, consider implementing tools like Fail2Ban or IPTables, which can monitor failed login attempts and block suspicious IP addresses automatically. Furthermore, employing strong password policies, disabling root login, and configuring two-factor authentication (2FA) can significantly reduce vulnerability to brute force attacks.
For more detailed steps on securing Proxmox, explore Proxmox documentation and UKHost4u’s security resources. Additionally, for a broader perspective on virtualization security best practices, you may find the VMware Security Blog to be a valuable resource.
By proactively securing these access points, you can greatly reduce the chances of unauthorized access to your Proxmox infrastructure.
To do this we used fail2ban. On proxmox fail2ban is really easy to install:
apt-get install fail2ban
Once this is installed we need to add our config to: /etc/fail2ban/jail.local
nano/etc/fail2ban/jail.local
Within this we place our config for blocking Brute Force attacks on the two service ports.
[sshd] port = ssh logpath = %(sshd_log)s enabled = true [proxmox] enabled = true port = https,http,8006 filter = proxmox logpath = /var/log/daemon.log maxretry = 3 # 7 days bantime = 604800
Next we need to create the file: /etc/fail2ban/filter.d/proxmox.conf
nano/etc/fail2ban/filter.d/proxmox.conf
In this file we add:
[Definition] failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* ignoreregex =
Once done we need to restart fail2ban
systemctl restart fail2ban
This now should mean your proxmox host is more secure with the IP being blacklisted if the password is entered wrong 3 times. Our config is fairly strict by blocking it for 7 days but you can adjust this to your own requirements. For example:
# Bad Time 1hr bantime = 3600 # Bad Time 24hr bantime = 86400
If you want to see if your ban is working take a look at:
fail2ban-client status sshd
or
fail2ban-client status proxmox
We hope this guide has been helpful in enhancing the security of your Proxmox servers. If you have any specific requests or need further information, please feel free to leave your suggestions and questions in the comments section below. Your feedback is invaluable and helps us improve and expand our content to better serve your needs.
For additional assistance, don’t hesitate to contact UKHost4u via live chat, or you can open a support ticket through our ticket system.
Additionally, explore more resources on virtualization security by visiting Proxmox resources page or the official Proxmox documentation.