Skip to content

Instantly share code, notes, and snippets.

@kylefmohr

kylefmohr/prox7.sh

Created May 3, 2022 20:49
Show Gist options
  • Save kylefmohr/82ab82cb5ad5f22abe25cce4691910e1 to your computer and use it in GitHub Desktop.
Save kylefmohr/82ab82cb5ad5f22abe25cce4691910e1 to your computer and use it in GitHub Desktop.
Download ZIP
This script will install the latest compatible version of Proxmox on top of an existing Debian 11 Bullseye installation. It also installs fail2ban and includes the fail2ban configs sourced from the official Proxmox wiki
Raw
prox7.sh
#!/bin/bash
#This script assumes that you have a domain name with a DNS record pointed to Proxmox's public IP
echo "Enter the domain name that will resolve to this servers IP address"
read hostname
sudo apt update && sudo apt full-upgrade -y
hostnamectl set-hostname $hostname
myip=$(curl --silent ifconfig.me)
echo "127.0.0.1 localhost" > hosts
echo $myip $hostname >> hosts
mv -f hosts /etc/hosts
#This ensures the hostname changes don't get reverted by cloud-init
sed -i '/host/d' /etc/cloud/cloud.cfg
echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bullseye pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg
apt update && apt full-upgrade -y
apt install proxmox-ve postfix open-iscsi fail2ban -y
apt remove os-prober -y
cat <<EOF > /etc/fail2ban/jail.local
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 3600
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 3600
ignoreip = 127.0.0.1
EOF
cat <<EOF > /etc/fail2ban/filter.d/proxmox.conf
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
EOF
reboot
@kylefmohr
Copy link
Author

@docop cannot replicate, I was successfully banned after failing to enter the correct password 3 times. In an existing SSH session, I verified this by taking a look at my fail2ban jail:

$ cat /var/log/fail2ban.log | grep <My IP address>
2023-05-31 23:23:15,848 fail2ban.filter         [1995]: INFO    [sshd] Found <My IP address> - 2023-05-31 23:23:15
2023-05-31 23:23:15,849 fail2ban.filter         [1995]: INFO    [sshd] Found <My IP address> - 2023-05-31 23:23:15
2023-05-31 23:23:20,360 fail2ban.filter         [1995]: INFO    [sshd] Found <My IP address> - 2023-05-31 23:23:20
2023-05-31 23:23:20,360 fail2ban.filter         [1995]: INFO    [sshd] Found <My IP address> - 2023-05-31 23:23:20
2023-05-31 23:23:20,369 fail2ban.actions        [1995]: NOTICE  [sshd] Ban <My IP address>

Does it seem like the fail2ban service is up and running if you run systemctl status fail2ban?

@docop
Copy link

docop commented Jun 6, 2023

hi look i had to copy the original file and then add at the end the config. then it work ok.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment