https://pbs.proxmox.com/mediawiki/index.php?action=history&feed=atom&title=Fail2banFail2ban - Revision history2026-05-16T00:01:23ZRevision history for this page on the wikiMediaWiki 1.43.8https://pbs.proxmox.com/mediawiki/index.php?title=Fail2ban&diff=128&oldid=prevS.ivanov: Add initial page - adaptations contributed by Lukas Fülling2024-05-27T16:19:02Z<p>Add initial page - adaptations contributed by Lukas Fülling</p>
<p><b>New page</b></p><div>Here we describe in short how you can set up <code>fail2ban</code> for the Proxmox Backup Server API to block IP addresses (temporarily) if there were too many wrong login attempts submitted through them.<br />
The page is based upon the [https://pve.proxmox.com/wiki/Fail2ban HOWTO for Proxmox VE]<br />
<br />
== Install fail2ban ==<br />
<br />
Execute the following commands as root in a shell on the Proxmox Backup Server host, for example connected through SSH or via the web console in the Proxmox Backup Server web interface.<br />
<br />
apt update<br />
apt install fail2ban<br />
<br />
== Setup Base Config ==<br />
<br />
We recommend to use the <code>/etc/fail2ban/jail.local</code> file, as settings in this file take precedence over identical settings of <code>jail.conf</code>.<br />
<br />
Use <code>jail.conf</code> as a template:<br />
<br />
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local<br />
<br />
And adapt the settings to your needs in the copied over <code>jail.local</code>.<br />
<br />
The main reason for using this separate file is that the original <code>jail.conf</code> could be overwritten by fail2ban package updates, while the copied <code>jail.local</code> will not, so you can better manage updates that way.<br />
<br />
== Setup Jail ==<br />
<br />
=== Base Config ===<br />
Add the following to the end of the copied over file <code>/etc/fail2ban/jail.local</code>:<br />
<br />
<pre><br />
[proxmox-backup-server]<br />
enabled = true<br />
port = https,http,8007<br />
filter = proxmox-backup-server<br />
logpath = /var/log/proxmox-backup/api/auth.log<br />
maxretry = 3<br />
findtime = 2d<br />
bantime = 1h<br />
</pre><br />
<br />
Tip: Time properties like <code>bantime</code> and <code>findtime</code> also allow combinations like <code>2m 30s</code>. You can test if a value is valid and what the actually resulting ban seconds are using the <code>fail2ban-client --str2sec '1d 12h'</code> command.<br />
See the <code>jail.conf</code> manual page<ref><code>jail.conf</code> manual page https://manpages.debian.org/stable/fail2ban/jail.conf.5.en.html</ref> for description of all options.<br />
<br />
=== Filter Config ===<br />
Create the file <code>/etc/fail2ban/filter.d/proxmox-backup-server.conf</code> with the following content:<br />
<br />
<pre><br />
[Definition]<br />
failregex = authentication failure; rhost=\[<HOST>\]:\d+ user=.* msg=.*<br />
ignoreregex =<br />
<br />
</pre><br />
<br />
=== Restart Service to Enable Config ===<br />
Use:<br />
systemctl restart fail2ban<br />
to activate the config addition and arm fail2ban for the Proxmox Backup Server API.<br />
<br />
== Test fail2ban Config ==<br />
You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command:<br />
<br />
<pre><br />
fail2ban-regex /var/log/proxmox-backup/api/auth.log /etc/fail2ban/filter.d/proxmox-backup-server.conf<br />
</pre><br />
<br />
You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)<br />
<br />
Note, if you tried too often and got yourself banned (your IP is reported by <code>fail2ban-client get proxmox-backup-server banned</code>) you can use <code>fail2ban-client unban <IP></code> (replace <code><IP></code> with the IP address) to manually unblock yourself.<br />
<br />
== Links ==<br />
* [http://www.fail2ban.org/wiki/index.php/Main_Page Fail2Ban ]<br />
<br />
[[Category: HOW-TO]]</div>S.ivanov