Virtualization Templates
Protection templates for virtualization platforms.
proxmox
Proxmox VE Web UI authentication failures.
| Setting | Default |
|---|---|
| Port | 8006, 443 |
| Backend | systemd |
| Max Retry | 3 |
| Find Time | 2 days |
| Ban Time | 1 hour |
How It Works
Uses systemd journal backend instead of log files:
backend = systemd
journalmatch = _SYSTEMD_UNIT=pvedaemon.service
Detected Patterns
Authentication failures from pvedaemon:
pvedaemon[...]: authentication failure; rhost=192.168.1.100 user=admin msg=...
Why Long Find Time?
Proxmox web UI is typically accessed infrequently. A 2-day window catches slow brute force attacks while minimizing false positives from forgotten passwords.
Requirements
- Proxmox VE 7.0+ (uses systemd logging)
- No log path needed (reads from journal)
proxmox-ssh
SSH protection for Proxmox hosts.
| Setting | Default |
|---|---|
| Port | 22 |
| Log Path | Auto-detected |
| Max Retry | 5 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
How It Works
Uses the standard sshd filter but as a separate jail for Proxmox hosts. This allows different settings for Proxmox vs other servers.
Why Separate Template?
- Proxmox hosts are high-value targets
- May want stricter settings than general servers
- Easy to apply to all Proxmox hosts in dashboard
proxmox-spiceproxy
SPICE proxy authentication failures.
| Setting | Default |
|---|---|
| Port | 3128 |
| Backend | systemd |
| Max Retry | 3 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
Detected Patterns
spiceproxy[...]: authentication failure; rhost=192.168.1.100...
When to Use
Enable if you use SPICE for VM console access from outside your network.
Recommended Configuration
Internet-Facing Proxmox
If Proxmox web UI is accessible from internet (not recommended):
# proxmox
maxretry: 2
findtime: 1d
bantime: 24h
# proxmox-ssh
maxretry: 3
bantime: 24h
Internal Network
Standard settings are appropriate for internal access:
# proxmox
maxretry: 3
findtime: 2d
bantime: 1h
# proxmox-ssh
maxretry: 5
bantime: 1h
VPN-Only Access
For Proxmox accessible only via VPN, you may want relaxed settings to avoid lockouts:
maxretry: 5
bantime: 30m
Security Best Practices
Limit Web UI Access
- Firewall: Restrict port 8006 to management IPs
- VPN: Access via VPN only
- 2FA: Enable TOTP in Proxmox
SSH Hardening
- Key-only: Disable password auth
- Non-standard port: Consider moving from 22
- fail2ban: Always enable proxmox-ssh
Network Isolation
- Management VLAN: Separate management traffic
- No public IP: Proxmox should not have public IP
- Jump host: Access via bastion/jump host
Troubleshooting
Journal Backend Not Working
-
Verify systemd is in use:
systemctl status pvedaemon -
Check journal for entries:
journalctl -u pvedaemon | grep "authentication failure" -
Ensure fail2ban can read journal:
fail2ban-client status proxmox
Filter Not Matching
Test against journal:
fail2ban-regex systemd-journal /etc/fail2ban/filter.d/proxmox.conf