Table of Contents

Overview

If someone tries to connect to a pve through ssh, the connection need to pass the bastion (i.e. saragozza). This is used in order to have in one place all the firewall rules and fail2ban config for all the nodes that are on the cluster. In fact all pve accept ssh connections only if they are coming from saragozza.

Fail2Ban scans log files like /var/log/auth.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time.

So if someone makes to many ssh requests to saragozza, his ip is banned. To interact with Fail2Ban a root shell on saragozza is needed.

Commands

List all ips that are banned:

fail2ban-client banned

Unban an ip address:

fail2ban-client unban <ip>