Mirrors/ProxMenux
1
0
Fork 0
mirror of https://github.com/MacRimi/ProxMenux.git synced 2026-02-18 16:36:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update security_manager.py

Browse Source
This commit is contained in:
MacRimi
2026-02-12 20:13:53 +01:00
parent 4396d57e3d
commit 00230d1b8f
1 changed files with 38 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
AppImage/scripts/security_manager.py
View File

@@ -788,28 +788,57 @@ def apply_missing_jails():
current_jails = [j.strip().lower() for j in jails_str.split(",") if j.strip()] current_jails = [j.strip().lower() for j in jails_str.split(",") if j.strip()]
# --- Proxmox jail (port 8006) --- # --- Proxmox jail (port 8006) ---
# Uses backend=systemd because Proxmox does not use rsyslog, # Fail2Ban's systemd backend can't reliably read pvedaemon worker entries
# so pvedaemon logs go to the systemd journal, not /var/log/daemon.log. # in real-time. We use a systemd service that tails the journal to a file
# and fail2ban monitors that file with backend=auto.
if "proxmox" not in current_jails: if "proxmox" not in current_jails:
try: try:
# Create filter with journalmatch for systemd backend. # Create the auth logger service if not present
# No ^ anchor: fail2ban prepends timestamp+hostname to journal MESSAGE. logger_service = "/etc/systemd/system/proxmox-auth-logger.service"
# _SYSTEMD_UNIT used instead of _COMM (Proxmox truncates _COMM). if not os.path.isfile(logger_service):
# Proxmox logs IPs as ::ffff:x.x.x.x (IPv4-mapped IPv6). service_content = """[Unit]
Description=Proxmox Auth Logger for Fail2Ban
After=pvedaemon.service
PartOf=fail2ban.service
[Service]
Type=simple
ExecStart=/bin/bash -c 'journalctl -f _SYSTEMD_UNIT=pvedaemon.service -o short-iso --no-pager >> /var/log/proxmox-auth.log'
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
"""
with open(logger_service, "w") as f:
f.write(service_content)
# Create log file
log_file = "/var/log/proxmox-auth.log"
if not os.path.isfile(log_file):
with open(log_file, "w") as f:
pass
os.chmod(log_file, 0o640)
_run_cmd(["systemctl", "daemon-reload"])
_run_cmd(["systemctl", "enable", "--now", "proxmox-auth-logger.service"])
# Create filter
filter_content = """[Definition] filter_content = """[Definition]
failregex = authentication (failure|error); rhost=(::ffff:)?<HOST> user=.* msg=.* failregex = authentication (failure|error); rhost=(::ffff:)?<HOST> user=.* msg=.*
ignoreregex = ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service datepattern = ^%%Y-%%m-%%dT%%H:%%M:%%S
""" """
with open("/etc/fail2ban/filter.d/proxmox.conf", "w") as f: with open("/etc/fail2ban/filter.d/proxmox.conf", "w") as f:
f.write(filter_content) f.write(filter_content)
# Create jail # Create jail (file-based backend)
jail_content = """[proxmox] jail_content = """[proxmox]
enabled = true enabled = true
port = 8006 port = 8006
filter = proxmox filter = proxmox
backend = systemd backend = auto
logpath = /var/log/proxmox-auth.log
maxretry = 3 maxretry = 3
bantime = 3600 bantime = 3600
findtime = 600 findtime = 600