Categories
Uncategorized

Defunding Proxmox, Guarding SSH and Web Interface from Brute-Force Attacks with Fail2ban

Proxmox has some well known ports open and a root user account that needs to be open for stuff to work right. This can lead to problems when trying to secure your Proxmox server here is one step you can take to help secure your server.

First we need to install Fail2ban

apt install fail2ban -y

Now it is time to start configuring fail2ban

nano /etc/fail2ban/jail.local

in this file we are going to load a config that will help us guard both the ssh port 22, and the Proxmox web interface on port 8006

[sshd]
port    = ssh
logpath = %(sshd_log)s
enabled = true

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3 
# 1 hour
bantime = 3600

Fail2ban needs a filter to know what a bad login looks like on the web interface

nano /etc/fail2ban/filter.d/proxmox.conf
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

Once done we need to restart fail2ban

systemctl restart fail2ban

To see if the config is working

SSH

fail2ban-client status sshd

Web Interface

fail2ban-client status proxmox
Categories
Proxmox

NFS Server in Proxmox CT, LXC, Container

I am going to start this guide off at the point of having made an unprivileged container. For this guide we are using a ubuntu 22.04 image.

Select your Proxmox server in the datacenter menu and open the Shell

Take note of your CTs id number

go to Shell

Enter the command

nano /etc/pve/lxc/<CT #>.conf

Add the below line at the bottom

lxc.apparmor.profile: unconfined 

Now go back to the Web Interface START the CT and open the console

apt update && apt upgrade -y

Use the command

apt install nfs-kernel-server -y 

To install the NFS server

After installing NFS server lets add a folder to store the shared data in

mkdir -p /srv/nfs4/backup

We now need to edit the exports file to tell the server what folder and how to share the folder

nano /etc/exports
/srv/nfs4/backups 192.168.1.0/24(rw,sync,no_subtree_check)

Run

exportfs -ar

to modify the exports file

Now it is time to start using your new NFS server

if you find that you have problems writing to the folder you might need to run

chmod 777 <file path>

This will loosen up the user write restrictions and allow everyone to write files to this folder.

Categories
Uncategorized

Download PFSenes on you Proxmox server

Netgate compresses the PFSenes iso for the download process on there web site is is grate becouse it keeps the file small but it makes it really hard to get the iso on toy our proxmox system to install PFSenes in a VM.

the fist thing that you are going to need to do is to open the Proxmox web interface and click on shell in side of shell enter the command

wget https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz

This with download pfSense 2.6 to the root of your Proxmox system

Then we are going to run sha256sum to verify the download to the sum on the pfsenes web page

sha256sum pfSense-CE-2.6.0-RELEASE-amd64.iso.gz

now you can decompress the PFSense iso by running

gunzip pfSense-CE-2.6.0-RELEASE-amd64.iso.gz

to finle get the iso to a place that you can use it run the command

cp pfSense-CE-2.6.0-RELEASE-amd64.iso /var/lib/vz/templates/iso

and clean up the root of your server by running

rm pfSense-CE-2.6.0-RELEASE-amd64.iso