Defunding Proxmox, Guarding SSH and Web Interface from Brute-Force Attacks with Fail2ban

Proxmox has some well known ports open and a root user account that needs to be open for stuff to work right. This can lead to problems when trying to secure your Proxmox server here is one step you can take to help secure your server.

First we need to install Fail2ban

apt install fail2ban -y

Now it is time to start configuring fail2ban

nano /etc/fail2ban/jail.local

in this file we are going to load a config that will help us guard both the ssh port 22, and the Proxmox web interface on port 8006

port    = ssh
logpath = %(sshd_log)s
enabled = true

enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3 
# 1 hour
bantime = 3600

Fail2ban needs a filter to know what a bad login looks like on the web interface

nano /etc/fail2ban/filter.d/proxmox.conf
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

Once done we need to restart fail2ban

systemctl restart fail2ban

To see if the config is working


fail2ban-client status sshd

Web Interface

fail2ban-client status proxmox

Download PFSenes on you Proxmox server

Netgate compresses the PFSenes iso for the download process on there web site is is grate becouse it keeps the file small but it makes it really hard to get the iso on toy our proxmox system to install PFSenes in a VM.

the fist thing that you are going to need to do is to open the Proxmox web interface and click on shell in side of shell enter the command


This with download pfSense 2.6 to the root of your Proxmox system

Then we are going to run sha256sum to verify the download to the sum on the pfsenes web page

sha256sum pfSense-CE-2.6.0-RELEASE-amd64.iso.gz

now you can decompress the PFSense iso by running

gunzip pfSense-CE-2.6.0-RELEASE-amd64.iso.gz

to finle get the iso to a place that you can use it run the command

cp pfSense-CE-2.6.0-RELEASE-amd64.iso /var/lib/vz/templates/iso

and clean up the root of your server by running

rm pfSense-CE-2.6.0-RELEASE-amd64.iso

Passing USB Storage Drive to Proxmox LXC

if you are using a container as a storage server, one this that you might want to do is add storage from a USB drive to that container. If you have been looking around you might have found that you can pass a USB port into a container, but after trying to, you found you couldn’t get it working. This blog post is meant to show you how we at VE, pass USB storage to a container that we are using as a storage server.

The first thing that you are going to want to do is mount the USB drive to the server (Proxmox). You can do this in either with the web interface or by command line, if you would like to keep the data on the drive, it is best to use command line.

Command Line

Web Interface

Now that you have the drive mounted, we can start adding the drive to the container. The first thing that we will have to do is take note of the container ID number, and the mount path of the drive. If you used the web interface it can be found by clicking on your server – Disks – Directory

Proxmox screen layout

After you know the path to your disk and the ID number of your CT, it is time to open the shell and set up the mount to the CT.

In my case the drive was mounted at /mnt/pve/USB, and the CT id number was 100.

So I open the CT config file by entering:

$ nano /ect/pve/lxc/[id number].conf

Then I add the following line:

$ mp0: [path to mount],mp=[path to mount in CT]

The path to mount in CT douse can be one you choose.

how the edited config file should look

shoeing working mount