PVE web portal hardening
本文:配置fail2ban实现PVE web登录入口的暴破防护。
On a Proxmox VE host accessible to the public internet, using fail2ban to protect SSH away from malicious traffic is fairly common, but what about the web management portal?
I’ve got a blog post talking about that, which seems promising. However it’s already version 8.x, I’m learning something about journald, and so far it’s good to me – I don’t want reinstall the rsyslog just for this, then how can I get it work? Let’s find out.
WHAT HAPPENED
Daily routine, check the system journal with something like journalctl --since='yesterday' .
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
Jan 09 16:29:23 pve-host IPCC.xs[3863529]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:29:26 pve-host pvedaemon[3863529]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure Jan 09 16:31:33 pve-host IPCC.xs[3863529]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:31:35 pve-host pvedaemon[3863529]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure Jan 09 16:33:44 pve-host IPCC.xs[3998275]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:33:45 pve-host pvedaemon[3998275]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure Jan 09 16:35:54 pve-host IPCC.xs[3863529]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:35:56 pve-host pvedaemon[3863529]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure Jan 09 16:38:04 pve-host IPCC.xs[3998275]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:38:05 pve-host pvedaemon[3998275]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure Jan 09 16:40:14 pve-host IPCC.xs[3863529]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:40:16 pve-host pvedaemon[3863529]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure Jan 09 16:42:25 pve-host IPCC.xs[3863529]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:42:27 pve-host pvedaemon[3863529]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure Jan 09 16:44:35 pve-host IPCC.xs[3998275]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:44:37 pve-host pvedaemon[3998275]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure Jan 09 16:46:46 pve-host IPCC.xs[3863529]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:46:48 pve-host pvedaemon[3863529]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure Jan 09 16:48:56 pve-host IPCC.xs[3998275]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:162.19.61.xxx user=root Jan 09 16:48:58 pve-host pvedaemon[3998275]: authentication failure; rhost=::ffff:162.19.61.xxx user=root@pam msg=Authentication failure |
CUSTOMIZED CONF FOR FAIL2BAN
The filter rule of /etc/fail2ban/filter.d/pvedaemon.conf .
1 2 3 4 5 6 7 |
[DEFAULT] _daemon = pvedaemon [Definition] failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* ignoreregex = journalmatch = _SYSTEMD_UNIT=pvedaemon.service + _COMM=pvedaemon |
Then enable the jail in /etc/fail2ban/jail.local .
1 2 3 4 5 6 7 8 |
#... below the sshd conf, add this for pve daemon [pvedaemon] enabled = true port = https,http,8006 filter = pvedaemon backend = systemd #... others |
CHECK THE RESULT
Restart the fail2ban service, here it goes.
1 2 3 4 5 6 7 8 9 10 |
$ fail2ban-client status pvedaemon Status for the jail: pvedaemon |- Filter | |- Currently failed: 0 | |- Total failed: 2 | `- Journal matches: _SYSTEMD_UNIT=pvedaemon.service + _COMM=pvedaemon `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 162.19.61.xxx |
Then we can also check the iptables -nvL and fail2ban.log for some more detail – try it by yourself, could be interesting.
完整阅读本篇»