Created
May 3, 2022 20:49
-
-
Save kylefmohr/82ab82cb5ad5f22abe25cce4691910e1 to your computer and use it in GitHub Desktop.
This script will install the latest compatible version of Proxmox on top of an existing Debian 11 Bullseye installation. It also installs fail2ban and includes the fail2ban configs sourced from the official Proxmox wiki
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #This script assumes that you have a domain name with a DNS record pointed to Proxmox's public IP | |
| echo "Enter the domain name that will resolve to this servers IP address" | |
| read hostname | |
| sudo apt update && sudo apt full-upgrade -y | |
| hostnamectl set-hostname $hostname | |
| myip=$(curl --silent ifconfig.me) | |
| echo "127.0.0.1 localhost" > hosts | |
| echo $myip $hostname >> hosts | |
| mv -f hosts /etc/hosts | |
| #This ensures the hostname changes don't get reverted by cloud-init | |
| sed -i '/host/d' /etc/cloud/cloud.cfg | |
| echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bullseye pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list | |
| wget https://enterprise.proxmox.com/debian/proxmox-release-bullseye.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bullseye.gpg | |
| apt update && apt full-upgrade -y | |
| apt install proxmox-ve postfix open-iscsi fail2ban -y | |
| apt remove os-prober -y | |
| cat <<EOF > /etc/fail2ban/jail.local | |
| [proxmox] | |
| enabled = true | |
| port = https,http,8006 | |
| filter = proxmox | |
| logpath = /var/log/daemon.log | |
| maxretry = 3 | |
| # 1 hour | |
| bantime = 3600 | |
| [sshd] | |
| enabled = true | |
| port = ssh | |
| filter = sshd | |
| logpath = /var/log/auth.log | |
| maxretry = 3 | |
| findtime = 300 | |
| bantime = 3600 | |
| ignoreip = 127.0.0.1 | |
| EOF | |
| cat <<EOF > /etc/fail2ban/filter.d/proxmox.conf | |
| [Definition] | |
| failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* | |
| ignoreregex = | |
| EOF | |
| reboot |
Interesting! I'm not sure why that would be happening. I don't currently have a server to test this on, but I'll see if I can replicate this tonight.
@docop cannot replicate, I was successfully banned after failing to enter the correct password 3 times. In an existing SSH session, I verified this by taking a look at my fail2ban jail:
$ cat /var/log/fail2ban.log | grep <My IP address>
2023-05-31 23:23:15,848 fail2ban.filter [1995]: INFO [sshd] Found <My IP address> - 2023-05-31 23:23:15
2023-05-31 23:23:15,849 fail2ban.filter [1995]: INFO [sshd] Found <My IP address> - 2023-05-31 23:23:15
2023-05-31 23:23:20,360 fail2ban.filter [1995]: INFO [sshd] Found <My IP address> - 2023-05-31 23:23:20
2023-05-31 23:23:20,360 fail2ban.filter [1995]: INFO [sshd] Found <My IP address> - 2023-05-31 23:23:20
2023-05-31 23:23:20,369 fail2ban.actions [1995]: NOTICE [sshd] Ban <My IP address>
Does it seem like the fail2ban service is up and running if you run systemctl status fail2ban?
hi look i had to copy the original file and then add at the end the config. then it work ok.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Did you have good result with this ? As i do install, when i try to log on another pc: with a different or fake user , i can do 3 try and then it block. On the server it show as being 1 ip ban. But if i just try again : reopen a putty : i can log in with root user no problem. Wasn't it supposed to be rejected as the ip being banned ?
or the ip must be added in another jail file or so...
Thanks for precision.