"use client" import { useState, useEffect } from "react" import { Button } from "./ui/button" import { Input } from "./ui/input" import { Label } from "./ui/label" import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "./ui/card" import { Shield, Lock, User, AlertCircle, CheckCircle, Info, LogOut, Key, Copy, Eye, EyeOff, Trash2, RefreshCw, Clock, ShieldCheck, Globe, FileKey, AlertTriangle, Flame, Bug, Search, Download, Power, PowerOff, Plus, Minus, Activity, Settings, Ban, } from "lucide-react" import { getApiUrl, fetchApi } from "../lib/api-config" import { TwoFactorSetup } from "./two-factor-setup" import { ScriptTerminalModal } from "./script-terminal-modal" interface ApiTokenEntry { id: string name: string token_prefix: string created_at: string expires_at: string revoked: boolean } export function Security() { const [authEnabled, setAuthEnabled] = useState(false) const [totpEnabled, setTotpEnabled] = useState(false) const [loading, setLoading] = useState(false) const [error, setError] = useState("") const [success, setSuccess] = useState("") // Setup form state const [showSetupForm, setShowSetupForm] = useState(false) const [username, setUsername] = useState("") const [password, setPassword] = useState("") const [confirmPassword, setConfirmPassword] = useState("") // Change password form state const [showChangePassword, setShowChangePassword] = useState(false) const [currentPassword, setCurrentPassword] = useState("") const [newPassword, setNewPassword] = useState("") const [confirmNewPassword, setConfirmNewPassword] = useState("") const [show2FASetup, setShow2FASetup] = useState(false) const [show2FADisable, setShow2FADisable] = useState(false) const [disable2FAPassword, setDisable2FAPassword] = useState("") // API Token state management const [showApiTokenSection, setShowApiTokenSection] = useState(false) const [apiToken, setApiToken] = useState("") const [apiTokenVisible, setApiTokenVisible] = useState(false) const [tokenPassword, setTokenPassword] = useState("") const [tokenTotpCode, setTokenTotpCode] = useState("") const [generatingToken, setGeneratingToken] = useState(false) const [tokenCopied, setTokenCopied] = useState(false) // Token list state const [existingTokens, setExistingTokens] = useState([]) const [loadingTokens, setLoadingTokens] = useState(false) const [revokingTokenId, setRevokingTokenId] = useState(null) const [tokenName, setTokenName] = useState("API Token") // Proxmox Firewall state const [firewallLoading, setFirewallLoading] = useState(true) const [firewallData, setFirewallData] = useState<{ pve_firewall_installed: boolean pve_firewall_active: boolean cluster_fw_enabled: boolean host_fw_enabled: boolean rules_count: number rules: Array<{ raw: string; direction?: string; action?: string; dport?: string; p?: string; source?: string; source_file?: string; section?: string; rule_index: number }> monitor_port_open: boolean } | null>(null) const [firewallAction, setFirewallAction] = useState(false) const [showAddRule, setShowAddRule] = useState(false) const [newRule, setNewRule] = useState({ direction: "IN", action: "ACCEPT", protocol: "tcp", dport: "", sport: "", source: "", iface: "", comment: "", level: "host", }) const [addingRule, setAddingRule] = useState(false) const [deletingRuleIdx, setDeletingRuleIdx] = useState(null) // Security Tools state const [toolsLoading, setToolsLoading] = useState(true) const [fail2banInfo, setFail2banInfo] = useState<{ installed: boolean; active: boolean; version: string; jails: string[]; banned_ips_count: number } | null>(null) const [lynisInfo, setLynisInfo] = useState<{ installed: boolean; version: string; last_scan: string | null; hardening_index: number | null } | null>(null) const [showFail2banInstaller, setShowFail2banInstaller] = useState(false) const [showLynisInstaller, setShowLynisInstaller] = useState(false) // Fail2Ban detailed state interface BannedIp { ip: string type: "local" | "external" | "unknown" } interface JailDetail { name: string currently_failed: number total_failed: number currently_banned: number total_banned: number banned_ips: BannedIp[] findtime: string bantime: string maxretry: string } interface F2bEvent { timestamp: string jail: string ip: string action: "ban" | "unban" | "found" } const [f2bDetails, setF2bDetails] = useState<{ installed: boolean; active: boolean; version: string; jails: JailDetail[] } | null>(null) const [f2bActivity, setF2bActivity] = useState([]) const [f2bDetailsLoading, setF2bDetailsLoading] = useState(false) const [f2bUnbanning, setF2bUnbanning] = useState(null) const [f2bActiveTab, setF2bActiveTab] = useState<"jails" | "activity">("jails") const [f2bEditingJail, setF2bEditingJail] = useState(null) const [f2bJailConfig, setF2bJailConfig] = useState<{maxretry: string; bantime: string; findtime: string; permanent: boolean}>({ maxretry: "", bantime: "", findtime: "", permanent: false, }) const [f2bSavingConfig, setF2bSavingConfig] = useState(false) // SSL/HTTPS state const [sslEnabled, setSslEnabled] = useState(false) const [sslSource, setSslSource] = useState<"none" | "proxmox" | "custom">("none") const [sslCertPath, setSslCertPath] = useState("") const [sslKeyPath, setSslKeyPath] = useState("") const [proxmoxCertAvailable, setProxmoxCertAvailable] = useState(false) const [proxmoxCertInfo, setProxmoxCertInfo] = useState<{subject?: string; expires?: string; issuer?: string; is_self_signed?: boolean} | null>(null) const [loadingSsl, setLoadingSsl] = useState(true) const [configuringSsl, setConfiguringSsl] = useState(false) const [showCustomCertForm, setShowCustomCertForm] = useState(false) const [customCertPath, setCustomCertPath] = useState("") const [customKeyPath, setCustomKeyPath] = useState("") useEffect(() => { checkAuthStatus() loadApiTokens() loadSslStatus() loadFirewallStatus() loadSecurityTools() }, []) const loadFirewallStatus = async () => { try { setFirewallLoading(true) const data = await fetchApi("/api/security/firewall/status") if (data.success) { setFirewallData({ pve_firewall_installed: data.pve_firewall_installed, pve_firewall_active: data.pve_firewall_active, cluster_fw_enabled: data.cluster_fw_enabled, host_fw_enabled: data.host_fw_enabled, rules_count: data.rules_count, rules: data.rules || [], monitor_port_open: data.monitor_port_open, }) } } catch { // Silently fail } finally { setFirewallLoading(false) } } const loadSecurityTools = async () => { try { setToolsLoading(true) const data = await fetchApi("/api/security/tools") if (data.success && data.tools) { setFail2banInfo(data.tools.fail2ban || null) setLynisInfo(data.tools.lynis || null) } } catch { // Silently fail } finally { setToolsLoading(false) } } const loadFail2banDetails = async () => { try { setF2bDetailsLoading(true) const [detailsRes, activityRes] = await Promise.all([ fetchApi("/api/security/fail2ban/details"), fetchApi("/api/security/fail2ban/activity"), ]) if (detailsRes.success) { setF2bDetails({ installed: detailsRes.installed, active: detailsRes.active, version: detailsRes.version, jails: detailsRes.jails || [], }) } if (activityRes.success) { setF2bActivity(activityRes.events || []) } } catch { // Silently fail } finally { setF2bDetailsLoading(false) } } const handleUnbanIp = async (jail: string, ip: string) => { const key = `${jail}:${ip}` setF2bUnbanning(key) setError("") setSuccess("") try { const data = await fetchApi("/api/security/fail2ban/unban", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ jail, ip }), }) if (data.success) { setSuccess(data.message || `IP ${ip} unbanned from ${jail}`) loadFail2banDetails() loadSecurityTools() } else { setError(data.message || "Failed to unban IP") } } catch (err) { setError(err instanceof Error ? err.message : "Failed to unban IP") } finally { setF2bUnbanning(null) } } const openJailConfig = (jail: JailDetail) => { const bt = parseInt(jail.bantime, 10) const isPermanent = bt === -1 setF2bEditingJail(jail.name) setF2bJailConfig({ maxretry: jail.maxretry, bantime: isPermanent ? "" : jail.bantime, findtime: jail.findtime, permanent: isPermanent, }) } const handleSaveJailConfig = async () => { if (!f2bEditingJail) return setF2bSavingConfig(true) setError("") setSuccess("") try { const payload: Record = { jail: f2bEditingJail } if (f2bJailConfig.maxretry) payload.maxretry = parseInt(f2bJailConfig.maxretry, 10) if (f2bJailConfig.permanent) { payload.bantime = -1 } else if (f2bJailConfig.bantime) { payload.bantime = parseInt(f2bJailConfig.bantime, 10) } if (f2bJailConfig.findtime) payload.findtime = parseInt(f2bJailConfig.findtime, 10) const data = await fetchApi("/api/security/fail2ban/jail/config", { method: "PUT", headers: { "Content-Type": "application/json" }, body: JSON.stringify(payload), }) if (data.success) { setSuccess(data.message || "Jail configuration updated") setF2bEditingJail(null) loadFail2banDetails() } else { setError(data.message || "Failed to update jail config") } } catch (err) { setError(err instanceof Error ? err.message : "Failed to update jail config") } finally { setF2bSavingConfig(false) } } // Load fail2ban details when basic info shows it's installed and active useEffect(() => { if (fail2banInfo?.installed && fail2banInfo?.active) { loadFail2banDetails() } }, [fail2banInfo?.installed, fail2banInfo?.active]) const formatBanTime = (seconds: string) => { const s = parseInt(seconds, 10) if (s === -1) return "Permanent" if (isNaN(s) || s <= 0) return seconds if (s < 60) return `${s}s` if (s < 3600) return `${Math.floor(s / 60)}m` if (s < 86400) return `${Math.floor(s / 3600)}h` return `${Math.floor(s / 86400)}d` } const handleAddRule = async () => { if (!newRule.dport && !newRule.source) { setError("Please specify at least a destination port or source address") return } setAddingRule(true) setError("") setSuccess("") try { const data = await fetchApi("/api/security/firewall/rules", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(newRule), }) if (data.success) { setSuccess(data.message || "Rule added successfully") setShowAddRule(false) setNewRule({ direction: "IN", action: "ACCEPT", protocol: "tcp", dport: "", sport: "", source: "", iface: "", comment: "", level: "host" }) loadFirewallStatus() } else { setError(data.message || "Failed to add rule") } } catch (err) { setError(err instanceof Error ? err.message : "Failed to add rule") } finally { setAddingRule(false) } } const handleDeleteRule = async (ruleIndex: number, level: string) => { setDeletingRuleIdx(ruleIndex) setError("") setSuccess("") try { const data = await fetchApi("/api/security/firewall/rules", { method: "DELETE", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ rule_index: ruleIndex, level }), }) if (data.success) { setSuccess(data.message || "Rule deleted") loadFirewallStatus() } else { setError(data.message || "Failed to delete rule") } } catch (err) { setError(err instanceof Error ? err.message : "Failed to delete rule") } finally { setDeletingRuleIdx(null) } } const handleFirewallToggle = async (level: "host" | "cluster", enable: boolean) => { setFirewallAction(true) setError("") setSuccess("") try { const endpoint = enable ? "/api/security/firewall/enable" : "/api/security/firewall/disable" const data = await fetchApi(endpoint, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ level }), }) if (data.success) { setSuccess(data.message || `Firewall ${enable ? "enabled" : "disabled"} at ${level} level`) loadFirewallStatus() } else { setError(data.message || "Failed to update firewall") } } catch (err) { setError(err instanceof Error ? err.message : "Failed to update firewall") } finally { setFirewallAction(false) } } const handleMonitorPortToggle = async (add: boolean) => { setFirewallAction(true) setError("") setSuccess("") try { const data = await fetchApi("/api/security/firewall/monitor-port", { method: add ? "POST" : "DELETE", }) if (data.success) { setSuccess(data.message || `Monitor port rule ${add ? "added" : "removed"}`) loadFirewallStatus() } else { setError(data.message || "Failed to update monitor port rule") } } catch (err) { setError(err instanceof Error ? err.message : "Failed to update monitor port rule") } finally { setFirewallAction(false) } } const checkAuthStatus = async () => { try { const response = await fetch(getApiUrl("/api/auth/status")) const data = await response.json() setAuthEnabled(data.auth_enabled || false) setTotpEnabled(data.totp_enabled || false) } catch (err) { console.error("Failed to check auth status:", err) } } const handleEnableAuth = async () => { setError("") setSuccess("") if (!username || !password) { setError("Please fill in all fields") return } if (password !== confirmPassword) { setError("Passwords do not match") return } if (password.length < 6) { setError("Password must be at least 6 characters") return } setLoading(true) try { const response = await fetch(getApiUrl("/api/auth/setup"), { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ username, password, enable_auth: true, }), }) const data = await response.json() if (!response.ok) { throw new Error(data.error || "Failed to enable authentication") } localStorage.setItem("proxmenux-auth-token", data.token) localStorage.setItem("proxmenux-auth-setup-complete", "true") setSuccess("Authentication enabled successfully!") setAuthEnabled(true) setShowSetupForm(false) setUsername("") setPassword("") setConfirmPassword("") } catch (err) { setError(err instanceof Error ? err.message : "Failed to enable authentication") } finally { setLoading(false) } } const handleDisableAuth = async () => { if ( !confirm( "Are you sure you want to disable authentication? This will remove password protection from your dashboard.", ) ) { return } setLoading(true) setError("") setSuccess("") try { const token = localStorage.getItem("proxmenux-auth-token") const response = await fetch(getApiUrl("/api/auth/disable"), { method: "POST", headers: { "Content-Type": "application/json", Authorization: `Bearer ${token}`, }, }) const data = await response.json() if (!response.ok) { throw new Error(data.message || "Failed to disable authentication") } localStorage.removeItem("proxmenux-auth-token") localStorage.removeItem("proxmenux-auth-setup-complete") setSuccess("Authentication disabled successfully! Reloading...") setTimeout(() => { window.location.reload() }, 1000) } catch (err) { setError(err instanceof Error ? err.message : "Failed to disable authentication. Please try again.") } finally { setLoading(false) } } const handleChangePassword = async () => { setError("") setSuccess("") if (!currentPassword || !newPassword) { setError("Please fill in all fields") return } if (newPassword !== confirmNewPassword) { setError("New passwords do not match") return } if (newPassword.length < 6) { setError("Password must be at least 6 characters") return } setLoading(true) try { const response = await fetch(getApiUrl("/api/auth/change-password"), { method: "POST", headers: { "Content-Type": "application/json", Authorization: `Bearer ${localStorage.getItem("proxmenux-auth-token")}`, }, body: JSON.stringify({ current_password: currentPassword, new_password: newPassword, }), }) const data = await response.json() if (!response.ok) { throw new Error(data.error || "Failed to change password") } if (data.token) { localStorage.setItem("proxmenux-auth-token", data.token) } setSuccess("Password changed successfully!") setShowChangePassword(false) setCurrentPassword("") setNewPassword("") setConfirmNewPassword("") } catch (err) { setError(err instanceof Error ? err.message : "Failed to change password") } finally { setLoading(false) } } const handleDisable2FA = async () => { setError("") setSuccess("") if (!disable2FAPassword) { setError("Please enter your password") return } setLoading(true) try { const token = localStorage.getItem("proxmenux-auth-token") const response = await fetch(getApiUrl("/api/auth/totp/disable"), { method: "POST", headers: { "Content-Type": "application/json", Authorization: `Bearer ${token}`, }, body: JSON.stringify({ password: disable2FAPassword }), }) const data = await response.json() if (!response.ok) { throw new Error(data.message || "Failed to disable 2FA") } setSuccess("2FA disabled successfully!") setTotpEnabled(false) setShow2FADisable(false) setDisable2FAPassword("") checkAuthStatus() } catch (err) { setError(err instanceof Error ? err.message : "Failed to disable 2FA") } finally { setLoading(false) } } const handleLogout = () => { localStorage.removeItem("proxmenux-auth-token") localStorage.removeItem("proxmenux-auth-setup-complete") window.location.reload() } const loadApiTokens = async () => { try { setLoadingTokens(true) const data = await fetchApi("/api/auth/api-tokens") if (data.success) { setExistingTokens(data.tokens || []) } } catch { // Silently fail - tokens section is optional } finally { setLoadingTokens(false) } } const handleRevokeToken = async (tokenId: string) => { if (!confirm("Are you sure you want to revoke this token? Any integration using it will stop working immediately.")) { return } setRevokingTokenId(tokenId) setError("") setSuccess("") try { const data = await fetchApi(`/api/auth/api-tokens/${tokenId}`, { method: "DELETE", }) if (data.success) { setSuccess("Token revoked successfully") setExistingTokens((prev) => prev.filter((t) => t.id !== tokenId)) } else { setError(data.message || "Failed to revoke token") } } catch (err) { setError(err instanceof Error ? err.message : "Failed to revoke token") } finally { setRevokingTokenId(null) } } const handleGenerateApiToken = async () => { setError("") setSuccess("") if (!tokenPassword) { setError("Please enter your password") return } if (totpEnabled && !tokenTotpCode) { setError("Please enter your 2FA code") return } setGeneratingToken(true) try { const data = await fetchApi("/api/auth/generate-api-token", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ password: tokenPassword, totp_token: totpEnabled ? tokenTotpCode : undefined, token_name: tokenName || "API Token", }), }) if (!data.success) { setError(data.message || data.error || "Failed to generate API token") return } if (!data.token) { setError("No token received from server") return } setApiToken(data.token) setSuccess("API token generated successfully! Make sure to copy it now as you won't be able to see it again.") setTokenPassword("") setTokenTotpCode("") setTokenName("API Token") loadApiTokens() } catch (err) { setError(err instanceof Error ? err.message : "Failed to generate API token. Please try again.") } finally { setGeneratingToken(false) } } const copyToClipboard = async (text: string) => { try { if (navigator.clipboard && typeof navigator.clipboard.writeText === "function") { await navigator.clipboard.writeText(text) } else { const textarea = document.createElement("textarea") textarea.value = text textarea.style.position = "fixed" textarea.style.left = "-9999px" textarea.style.top = "-9999px" textarea.style.opacity = "0" document.body.appendChild(textarea) textarea.focus() textarea.select() document.execCommand("copy") document.body.removeChild(textarea) } return true } catch { return false } } const copyApiToken = async () => { const ok = await copyToClipboard(apiToken) if (ok) { setTokenCopied(true) setTimeout(() => setTokenCopied(false), 2000) } } const loadSslStatus = async () => { try { setLoadingSsl(true) const data = await fetchApi("/api/ssl/status") if (data.success) { setSslEnabled(data.ssl_enabled || false) setSslSource(data.source || "none") setSslCertPath(data.cert_path || "") setSslKeyPath(data.key_path || "") setProxmoxCertAvailable(data.proxmox_available || false) setProxmoxCertInfo(data.cert_info || null) } } catch { // Silently fail } finally { setLoadingSsl(false) } } const handleEnableSsl = async (source: "proxmox" | "custom", certPath?: string, keyPath?: string) => { setConfiguringSsl(true) setError("") setSuccess("") try { const body: Record = { source } if (source === "custom" && certPath && keyPath) { body.cert_path = certPath body.key_path = keyPath } const data = await fetchApi("/api/ssl/configure", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(body), }) if (data.success) { setSuccess(data.message || "SSL configured successfully. Restart the monitor service to apply.") setSslEnabled(true) setSslSource(source) setShowCustomCertForm(false) setCustomCertPath("") setCustomKeyPath("") loadSslStatus() } else { setError(data.message || "Failed to configure SSL") } } catch (err) { setError(err instanceof Error ? err.message : "Failed to configure SSL") } finally { setConfiguringSsl(false) } } const handleDisableSsl = async () => { if (!confirm("Are you sure you want to disable HTTPS? The monitor will revert to HTTP after restart.")) { return } setConfiguringSsl(true) setError("") setSuccess("") try { const data = await fetchApi("/api/ssl/disable", { method: "POST" }) if (data.success) { setSuccess(data.message || "SSL disabled. Restart the monitor service to apply.") setSslEnabled(false) setSslSource("none") setSslCertPath("") setSslKeyPath("") loadSslStatus() } else { setError(data.message || "Failed to disable SSL") } } catch (err) { setError(err instanceof Error ? err.message : "Failed to disable SSL") } finally { setConfiguringSsl(false) } } return (

Security

Manage authentication, encryption, and access control

{/* Authentication Settings */}
Authentication
Protect your dashboard with username and password authentication {error && (

{error}

)} {success && (

{success}

)}

Authentication Status

{authEnabled ? "Password protection is enabled" : "No password protection"}

{authEnabled ? "Enabled" : "Disabled"}
{!authEnabled && !showSetupForm && (

Enable authentication to protect your dashboard when accessing from non-private networks.

)} {!authEnabled && showSetupForm && (

Setup Authentication

setUsername(e.target.value)} className="pl-10" disabled={loading} />
setPassword(e.target.value)} className="pl-10" disabled={loading} />
setConfirmPassword(e.target.value)} className="pl-10" disabled={loading} />
)} {authEnabled && (
{!showChangePassword && ( )} {showChangePassword && (

Change Password

setCurrentPassword(e.target.value)} className="pl-10" disabled={loading} />
setNewPassword(e.target.value)} className="pl-10" disabled={loading} />
setConfirmNewPassword(e.target.value)} className="pl-10" disabled={loading} />
)} {!totpEnabled && (

Two-Factor Authentication (2FA)

Add an extra layer of security by requiring a code from your authenticator app in addition to your password.

)} {totpEnabled && (

2FA is enabled

{!show2FADisable && ( )} {show2FADisable && (

Disable Two-Factor Authentication

Enter your password to confirm

setDisable2FAPassword(e.target.value)} className="pl-10" disabled={loading} />
)}
)}
)} {/* SSL/HTTPS Configuration */}
SSL / HTTPS
Serve ProxMenux Monitor over HTTPS using your Proxmox host certificate or a custom certificate {loadingSsl ? (
) : ( <> {/* Current Status */}

{sslEnabled ? "HTTPS Enabled" : "HTTP (No SSL)"}

{sslEnabled ? `Using ${sslSource === "proxmox" ? "Proxmox host" : "custom"} certificate` : "Monitor is served over unencrypted HTTP"}

{sslEnabled ? "HTTPS" : "HTTP"}
{/* Active certificate info */} {sslEnabled && (
Active Certificate

Cert: {sslCertPath}

Key: {sslKeyPath}

)} {/* Proxmox certificate detection */} {!sslEnabled && proxmoxCertAvailable && (

Proxmox Host Certificate Detected

{proxmoxCertInfo && (
{proxmoxCertInfo.subject && (

Subject: {proxmoxCertInfo.subject}

)} {proxmoxCertInfo.issuer && (

Issuer: {proxmoxCertInfo.issuer}

)} {proxmoxCertInfo.expires && (

Expires: {proxmoxCertInfo.expires}

)} {proxmoxCertInfo.is_self_signed && (
Self-signed certificate (browsers will show a security warning)
)}
)}
)} {!sslEnabled && !proxmoxCertAvailable && (

No Proxmox host certificate detected. You can configure a custom certificate below.

)} {/* Custom certificate option */} {!sslEnabled && (
{!showCustomCertForm ? ( ) : (

Custom Certificate Paths

Enter the absolute paths to your SSL certificate and private key files on the Proxmox server.

setCustomCertPath(e.target.value)} disabled={configuringSsl} />
setCustomKeyPath(e.target.value)} disabled={configuringSsl} />
)}
)} {/* Info note about restart */}

Changes to SSL configuration require a monitor service restart to take effect. The service will automatically use HTTPS on port 8008 when enabled.

)} {/* API Access Tokens */} {authEnabled && (
API Access Tokens
Generate long-lived API tokens for external integrations like Homepage and Home Assistant {error && (

{error}

)} {success && (

{success}

)}

About API Tokens

  • Tokens are valid for 1 year
  • Use them to access APIs from external services
  • {'Include in Authorization header: Bearer YOUR_TOKEN'}
  • See README.md for complete integration examples
{!showApiTokenSection && !apiToken && ( )} {showApiTokenSection && !apiToken && (

Generate API Token

Enter your credentials to generate a new long-lived API token

setTokenName(e.target.value)} className="pl-10" disabled={generatingToken} />
setTokenPassword(e.target.value)} className="pl-10" disabled={generatingToken} />
{totpEnabled && (
setTokenTotpCode(e.target.value)} className="pl-10" maxLength={6} disabled={generatingToken} />
)}
)} {apiToken && (

Your API Token

Important: Save this token now!

{"You won't be able to see it again. Store it securely."}

{tokenCopied && (

Copied to clipboard!

)}

How to use this token:

# Add to request headers:

{'Authorization: Bearer YOUR_TOKEN_HERE'}

See the README documentation for complete integration examples with Homepage and Home Assistant.

)} {/* Existing Tokens List */} {!loadingTokens && existingTokens.length > 0 && (

Active Tokens

{existingTokens.map((token) => (

{token.name}

{token.token_prefix} {token.created_at ? new Date(token.created_at).toLocaleDateString() : "Unknown"}
))}
)} {loadingTokens && (
Loading tokens...
)} {!loadingTokens && existingTokens.length === 0 && !showApiTokenSection && !apiToken && (
No API tokens created yet
)} )} {/* Proxmox Firewall */}
Proxmox Firewall
{firewallData?.pve_firewall_installed && ( )}
Manage the Proxmox VE built-in firewall: enable/disable, configure rules, and protect your services {firewallLoading ? (
) : !firewallData?.pve_firewall_installed ? (

Proxmox Firewall Not Detected

The pve-firewall service was not found on this system. It should be included with Proxmox VE by default.

) : ( <> {/* Firewall Status Overview */}
{/* Cluster Firewall */}

Cluster Firewall

{firewallData.cluster_fw_enabled ? "Active - Required for host rules to work" : "Disabled - Must be enabled first"}

{/* Host Firewall */}

Host Firewall

{firewallData.host_fw_enabled ? "Active - Rules are being enforced" : "Disabled"}

{!firewallData.cluster_fw_enabled && (

The Cluster Firewall must be enabled for any host-level firewall rules to take effect. Enable it first, then configure your host rules.

)} {/* Quick Presets */}

Quick Access Rules

{/* Monitor Port 8008 */}

ProxMenux Monitor

Port 8008/TCP

{/* Proxmox Web UI hint */}

Proxmox Web UI

Port 8006/TCP (always allowed)

Built-in
{!firewallData.monitor_port_open && (firewallData.cluster_fw_enabled || firewallData.host_fw_enabled) && (

The firewall is active but port 8008 is not allowed. ProxMenux Monitor may be inaccessible from other devices.

)}
{/* Firewall Rules */}

Firewall Rules ({firewallData.rules_count})

{/* Add Rule Form */} {showAddRule && (

New Firewall Rule

setNewRule({...newRule, dport: e.target.value})} className="h-9 text-sm" />

Single port, comma-separated, or range (8000:9000)

setNewRule({...newRule, source: e.target.value})} className="h-9 text-sm" />

IP, CIDR, or leave empty for any source

setNewRule({...newRule, iface: e.target.value})} className="h-9 text-sm" />
setNewRule({...newRule, comment: e.target.value})} className="h-9 text-sm" />
)} {/* Rules List */} {firewallData.rules.length > 0 ? (
{/* Table header */}
Action Direction Proto Port Source Level
{firewallData.rules.map((rule, idx) => (
{rule.action || "?"} {rule.direction || "IN"} {rule.p || "-"} {rule.dport || "-"} {rule.source || "any"} {rule.source_file}
))}
) : (

No firewall rules configured yet

Click "Add Rule" above to create your first rule

)}
)} {/* Fail2Ban */}
Fail2Ban
{fail2banInfo?.installed && fail2banInfo?.active && ( )}
Intrusion prevention system that bans IPs after repeated failed login attempts {toolsLoading ? (
) : !fail2banInfo?.installed ? ( /* --- NOT INSTALLED --- */

Fail2Ban Not Installed

Protect SSH, Proxmox web interface, and ProxMenux Monitor from brute force attacks

Not Installed

What Fail2Ban will configure:

  • SSH protection (max 2 retries, 9h ban)
  • Proxmox web interface protection (port 8006, max 3 retries, 1h ban)
  • ProxMenux Monitor protection (port 8008 + reverse proxy, max 3 retries, 1h ban)
  • Global settings with nftables backend

All settings can be customized after installation. You can change retries, ban time, or set permanent bans.

) : ( /* --- INSTALLED --- */
{/* Status bar */}

Fail2Ban {fail2banInfo.version}

{fail2banInfo.active ? "Service is running" : "Service is not running"}

{fail2banInfo.active ? "Active" : "Inactive"}
{fail2banInfo.active && f2bDetails && ( <> {/* Summary stats */}

Jails

{f2bDetails.jails.length}

Banned IPs

a + j.currently_banned, 0) > 0 ? "text-red-500" : "text-green-500"}`}> {f2bDetails.jails.reduce((a, j) => a + j.currently_banned, 0)}

Total Bans

{f2bDetails.jails.reduce((a, j) => a + j.total_banned, 0)}

Failed Attempts

{f2bDetails.jails.reduce((a, j) => a + j.total_failed, 0)}

{/* Tab switcher - redesigned with border on inactive */}
{/* JAILS TAB */} {f2bActiveTab === "jails" && (
{f2bDetails.jails.map((jail) => (
{/* Jail header */}
0 ? "bg-red-500 animate-pulse" : "bg-green-500"}`} /> {jail.name} {parseInt(jail.bantime, 10) === -1 && ( PERMANENT BAN )}
Retries: {jail.maxretry} Ban: {parseInt(jail.bantime, 10) === -1 ? "Permanent" : formatBanTime(jail.bantime)} Window: {formatBanTime(jail.findtime)}
{/* Jail config editor */} {f2bEditingJail === jail.name && (

Configure {jail.name}

setF2bJailConfig({...f2bJailConfig, maxretry: e.target.value})} className="h-9 text-sm" placeholder="e.g. 3" />

Failed attempts before ban

setF2bJailConfig({...f2bJailConfig, bantime: e.target.value, permanent: false})} className="h-9 text-sm" placeholder={f2bJailConfig.permanent ? "Permanent" : "e.g. 3600 = 1h"} disabled={f2bJailConfig.permanent} />
setF2bJailConfig({...f2bJailConfig, permanent: e.target.checked, bantime: ""})} className="rounded border-border" />
setF2bJailConfig({...f2bJailConfig, findtime: e.target.value})} className="h-9 text-sm" placeholder="e.g. 600 = 10m" />

Time window for counting retries

Common values: 600s = 10min, 3600s = 1h, 32400s = 9h, 86400s = 24h. Set ban to permanent if you want blocked IPs to stay blocked until you manually unban them.

)} {/* Mobile config summary (visible only on small screens) */}
Retries: {jail.maxretry} Ban: {parseInt(jail.bantime, 10) === -1 ? "Perm" : formatBanTime(jail.bantime)} Window: {formatBanTime(jail.findtime)}
{/* Jail stats bar */}

Banned

0 ? "text-red-500" : "text-green-500"}`}> {jail.currently_banned}

Total Bans

{jail.total_banned}

Failed Now

{jail.currently_failed}

Total Failed

{jail.total_failed}

{/* Banned IPs list */} {jail.banned_ips.length > 0 && (

Banned IPs ({jail.banned_ips.length})

{jail.banned_ips.map((entry) => (
{entry.ip} {entry.type === "local" ? "LAN" : entry.type === "external" ? "External" : "Unknown"}
))}
)} {jail.currently_banned === 0 && (

No IPs currently banned in this jail

)}
))} {f2bDetails.jails.length === 0 && (
No jails configured
)}
)} {/* ACTIVITY TAB */} {f2bActiveTab === "activity" && (
{f2bActivity.length === 0 ? (
No recent activity in the Fail2Ban log
) : ( f2bActivity.map((event, idx) => (
{event.action}
{event.ip} {event.jail} {event.timestamp}
)) )}
)} )} {fail2banInfo.active && !f2bDetails && f2bDetailsLoading && (
)}
)} {/* Lynis */}
Lynis Security Audit
System security auditing tool that performs comprehensive security scans {toolsLoading ? (
) : !lynisInfo?.installed ? (

Lynis Not Installed

Comprehensive security auditing and hardening tool

Not Installed

Lynis features:

  • System hardening scoring (0-100)
  • Vulnerability detection and suggestions
  • Compliance checking (PCI-DSS, HIPAA, etc.)
  • Installed from latest GitHub source
) : (
{/* Status */}

Lynis {lynisInfo.version}

Security auditing tool installed

Installed
{/* Last Scan Info */}

Last Scan

{lynisInfo.last_scan || "No scan performed yet"}

Hardening Index

= 70 ? "text-green-500" : lynisInfo.hardening_index >= 50 ? "text-yellow-500" : "text-red-500" }`}> {lynisInfo.hardening_index !== null ? `${lynisInfo.hardening_index}/100` : "N/A"}

Run audits from the Proxmox terminal with: lynis audit system

)} {/* Script Terminal Modals */} { setShowFail2banInstaller(false) loadSecurityTools() }} scriptPath="/usr/local/share/proxmenux/scripts/security/fail2ban_installer.sh" scriptName="fail2ban_installer" params={{ EXECUTION_MODE: "web" }} title="Fail2Ban Installation" description="Installing and configuring Fail2Ban for SSH and Proxmox protection..." /> { setShowLynisInstaller(false) loadSecurityTools() }} scriptPath="/usr/local/share/proxmenux/scripts/security/lynis_installer.sh" scriptName="lynis_installer" params={{ EXECUTION_MODE: "web" }} title="Lynis Installation" description="Installing Lynis security auditing tool from GitHub..." /> setShow2FASetup(false)} onSuccess={() => { setSuccess("2FA enabled successfully!") checkAuthStatus() }} />
) }