ProxMenux LogoProxMenux

Security

Security~4 minView script

Two complementary security tools for Proxmox VE: an active defence (Fail2Ban — bans IPs that attack SSH or the web UIs) and an offline audit (Lynis — scans the system for hardening gaps and gives a 0–100 score). Both are installed and managed through their own dedicated menu, with detection of an existing install before any action.

Active defence vs. offline audit

These two tools answer different questions. Fail2Ban answers "is something attacking us right now?" by watching auth logs and banning offending IPs. Lynis answers "how hardened is this host?" by running a one-shot audit and printing concrete recommendations. Use both together: Lynis tells you what to fix, Fail2Ban handles the live abuse.

Opening the menu

From ProxMenux's main menu, select Security. You will see this:

Security menu with Fail2Ban and Lynis options

Pick your tool

The two security tools are independent — install either one, both, or neither. Each card below jumps to the section that explains the tool in detail.

Fail2Ban

Active intrusion prevention. Watches SSH and web UI auth logs and bans IPs after repeated failures.

  • Three jails: SSH, Proxmox UI (8006), ProxMenux Monitor (8008)
  • Fixes Proxmox journald defaults that block auth logs
  • Auto-detects nftables / iptables
  • SSH hardening: MaxAuthTries=3 (Lynis recommendation)

Lynis

Offline security auditor. Scans the host and prints a hardening score plus concrete remediation hints.

  • Installed from upstream CISOfy GitHub (always latest)
  • Hardening score 0–100 + list of warnings and suggestions
  • Run-audit and update actions in-menu
  • Read-only by design — never changes the system

Workflow that uses both

Run a Lynis audit first to see your starting score and the top recommendations. Apply the fixes you want. Then install Fail2Ban — it implements one of Lynis's most common recommendations (SSH brute-force protection) automatically, and adjusts MaxAuthTries in sshd_config to satisfy the SSH-7408 control. Re-run Lynis afterwards to confirm the score improved.

Fail2Ban

ProxMenux installs Fail2Ban with a configuration tuned for Proxmox specifically. Beyond the standard SSH jail, it adds protection for the Proxmox web UI and the ProxMenux Monitor, and works around two Proxmox-specific quirks: a journald default that drops auth events, and the systemd-backend issue that prevents Fail2Ban from reading certain journal sources reliably. The detail page covers the full install flow, the three jails, the journald fix, the SSH hardening change and the troubleshooting cheatsheet.

Fail2Ban — install & manage
Three pre-configured jails (sshd aggressive, Proxmox UI port 8006, ProxMenux Monitor port 8008 + reverse proxy), auto-detected nftables/iptables backend, journald fix and SSH MaxAuthTries hardening.

Lynis

ProxMenux clones Lynis from github.com/CISOfy/lynis into /opt/lynis and exposes it as /usr/local/bin/lynis. The Debian package is intentionally avoided because it lags several major versions behind upstream. The detail page covers the install / audit / update / uninstall flow, how to read the report, and how to act on the findings.

Lynis — install, audit & manage
Installs the latest Lynis from the official CISOfy GitHub repo (not the older Debian package), runs system audits with hardening score, and updates via git pull.

Component status

Both installers register their state in /usr/local/share/proxmenux/components_status.json under the security category. ProxMenux uses this file to decide whether to show the install or the manage menu on subsequent runs, and the same data feeds the dashboards in the ProxMenux Monitor when present.

ProxMenux Scripts: Previous
Interfaces backup & restart
ProxMenux Scripts: Next
Fail2Ban