Security

Set Up Fail2ban for Proxmox VE: SSH and Web UI Protection

How to install and configure Fail2ban on Proxmox VE to protect SSH and the Proxmox web UI (pveproxy) from brute-force attacks.

ProxmoxR app icon

Managing Proxmox? Try ProxmoxR

Monitor and control your VMs & containers from your phone.

Try Free

Why Fail2ban on Proxmox?

Proxmox VE exposes two primary login interfaces: SSH on port 22 and the web UI (pveproxy) on port 8006. Both are targets for brute-force attacks, especially if your server is accessible from the internet or an untrusted network. Fail2ban monitors authentication logs and automatically bans IP addresses that exceed a configurable number of failed login attempts. It is simple to set up and provides effective defense against automated attacks.

Install Fail2ban

Fail2ban is available in the Debian repositories that Proxmox uses:

apt update
apt install fail2ban -y

# Verify installation:
fail2ban-client --version

Configure the SSH Jail

Create a local configuration file. Never edit jail.conf directly — it gets overwritten on updates:

# Create local override:
nano /etc/fail2ban/jail.local

Add the SSH jail configuration:

[DEFAULT]
# Ban duration (1 hour):
bantime = 3600
# Time window for counting failures:
findtime = 600
# Max failures before ban:
maxretry = 3
# Ban action (uses iptables by default):
banaction = iptables-multiport

# Whitelist your trusted IPs (never ban these):
ignoreip = 127.0.0.1/8 10.0.0.0/24

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Create a Custom Proxmox Web UI Filter

Fail2ban does not include a filter for the Proxmox web UI by default. You need to create one that matches failed authentication attempts in the pveproxy logs:

# Create the filter file:
nano /etc/fail2ban/filter.d/proxmox.conf

Add the following filter definition:

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
            pvedaemon\[.*authentication verification failed for user .* from <HOST>.*
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service

Proxmox logs authentication failures to the systemd journal under the pvedaemon service. You can also check /var/log/auth.log for PAM-based authentication entries.

Add the Proxmox Web UI Jail

Add the Proxmox jail to your jail.local file:

# Append to /etc/fail2ban/jail.local:
nano /etc/fail2ban/jail.local

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
backend = systemd
maxretry = 3
findtime = 600
bantime = 3600

Start and Enable Fail2ban

# Enable on boot and start:
systemctl enable fail2ban
systemctl start fail2ban

# Verify both jails are active:
fail2ban-client status
# Should show: sshd, proxmox

# Check specific jail status:
fail2ban-client status sshd
fail2ban-client status proxmox

Test the Configuration

Test from a non-whitelisted IP by intentionally entering wrong credentials. Then verify the ban:

# Check if an IP was banned:
fail2ban-client status sshd
# Look for "Banned IP list"

# Check iptables for fail2ban rules:
iptables -L f2b-sshd -n

# Check the fail2ban log:
tail -f /var/log/fail2ban.log

Manage Bans

If you accidentally ban yourself or need to manage bans manually:

# Unban a specific IP from the SSH jail:
fail2ban-client set sshd unbanip 192.168.1.100

# Unban from the Proxmox jail:
fail2ban-client set proxmox unbanip 192.168.1.100

# Ban an IP manually:
fail2ban-client set sshd banip 203.0.113.50

# Check all currently banned IPs across all jails:
fail2ban-client banned

Advanced: Progressive Ban Times

For repeat offenders, configure escalating ban durations:

# In /etc/fail2ban/jail.local under [DEFAULT]:
[DEFAULT]
bantime = 3600
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 604800
# First ban: 1 hour, second: 2 hours, third: 4 hours, up to 1 week

Monitor Fail2ban

Keep an eye on fail2ban activity to understand attack patterns:

# Real-time log monitoring:
tail -f /var/log/fail2ban.log

# Summary of all jails:
fail2ban-client status

# Count total bans today:
grep "Ban " /var/log/fail2ban.log | grep "$(date +%Y-%m-%d)" | wc -l

# List unique banned IPs:
grep "Ban " /var/log/fail2ban.log | awk '{print $NF}' | sort -u

Fail2ban protects against brute-force attacks, but monitoring your server's security posture is an ongoing task. ProxmoxR helps you keep an eye on your Proxmox node status from your phone, so you can quickly check if your server is online and responsive after security events — without needing to open an SSH session.

Summary

Fail2ban is a critical security layer for Proxmox VE. The SSH jail protects against brute-force SSH attacks using the built-in sshd filter. The custom Proxmox filter protects the web UI by monitoring pvedaemon authentication failures. Combined with IP whitelisting and progressive ban times, fail2ban provides robust automated protection against credential-stuffing attacks on both of Proxmox's login interfaces.

Take Proxmox management mobile

All the features discussed in this guide — accessible from your phone with ProxmoxR. Real-time monitoring, power control, firewall management, and more.

Download ProxmoxR — Free Trial

Related Articles

Security

How to Enable Two-Factor Authentication in Proxmox VE

 Security

How to Install SSL Certificates in Proxmox VE

 Security

Proxmox User Permissions and Roles Guide
ProxmoxR

Manage Proxmox from your phone

Monitor, control, and manage your clusters on the go.

Download for iOS Download for Android

Free 7-day trial · No credit card required