Fail2ban

Here we describe in short how you can set up fail2ban for the Proxmox Backup Server API to block IP addresses (temporarily) if there were too many wrong login attempts submitted through them. The page is based upon the HOWTO for Proxmox VE

Install fail2ban

Execute the following commands as root in a shell on the Proxmox Backup Server host, for example connected through SSH or via the web console in the Proxmox Backup Server web interface.

apt update
apt install fail2ban

Setup Base Config

We recommend to use the /etc/fail2ban/jail.local file, as settings in this file take precedence over identical settings of jail.conf.

Use jail.conf as a template:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

And adapt the settings to your needs in the copied over jail.local.

The main reason for using this separate file is that the original jail.conf could be overwritten by fail2ban package updates, while the copied jail.local will not, so you can better manage updates that way.

Setup Jail

Base Config

Add the following to the end of the copied over file /etc/fail2ban/jail.local:

[proxmox-backup-server]
enabled = true
port = https,http,8007
filter = proxmox-backup-server
logpath = /var/log/proxmox-backup/api/auth.log
maxretry = 3
findtime = 2d
bantime = 1h

Tip: Time properties like bantime and findtime also allow combinations like 2m 30s. You can test if a value is valid and what the actually resulting ban seconds are using the fail2ban-client --str2sec '1d 12h' command. See the jail.conf manual page^[1] for description of all options.

Filter Config

Create the file /etc/fail2ban/filter.d/proxmox-backup-server.conf with the following content:

[Definition]
failregex = authentication failure; rhost=\[<HOST>\]:\d+ user=.* msg=.*
ignoreregex =

Restart Service to Enable Config

Use:

systemctl restart fail2ban

to activate the config addition and arm fail2ban for the Proxmox Backup Server API.

Test fail2ban Config

You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command:

fail2ban-regex /var/log/proxmox-backup/api/auth.log /etc/fail2ban/filter.d/proxmox-backup-server.conf

You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)

Note, if you tried too often and got yourself banned (your IP is reported by fail2ban-client get proxmox-backup-server banned) you can use fail2ban-client unban <IP> (replace <IP> with the IP address) to manually unblock yourself.

Links

• Fail2Ban