If you want to protect your auth Proxmox VE, you can follow this step.
This configuration will be make max 3 attempt
for Login to SSH or GUI & ban for 1 days
you can modify on maxretry
& bantime
parameter.
apt-get install -y fail2ban
- Create SSH Jail Configuration
nano /etc/fail2ban/jail.d/sshd.conf
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
filter = sshd
banaction = iptables
backend = systemd
maxretry = 3
findtime = 1d
bantime = 1d
action = iptables[name=SSH, port=22, protocol=tcp]
telegram
-
You optionally use
action
line, if you want to use that you can follow this step first. -
Create GUI Jail Configuration
nano /etc/fail2ban/jail.d/proxmox.conf
[proxmox]
enabled = true
filter = proxmox
backend = systemd
banaction = iptables
maxretry = 3
findtime = 7d
bantime = 1d
- Create PAM Jail Configuration
nano /etc/fail2ban/jail.d/pam-generic.conf
[pam-generic]
enabled = true
backend = systemd
banaction = iptables
findtime = 7d
bantime = 1d
maxretry = 3
- Restart Fail2ban
systemctl restart fail2ban
- To check Ban
fail2ban-client status sshd
fail2ban-client status proxmox
fail2ban-client status pam-generic
- To Unban IP
fail2ban-client set sshd unbanip $1
fail2ban-client set proxmox unbanip $1
fail2ban-client set pam-generic unbanip $1
- To Manually Ban IP
fail2ban-client -vvv set sshd banip $1
fail2ban-client -vvv set proxmox banip $1
fail2ban-client -vvv set pam-generic banip $1