From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id DB9E379A14 for ; Wed, 5 May 2021 11:29:27 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CA0E812CBF for ; Wed, 5 May 2021 11:28:57 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id E9AB912CB4 for ; Wed, 5 May 2021 11:28:56 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B77B445AF3 for ; Wed, 5 May 2021 11:28:56 +0200 (CEST) Date: Wed, 5 May 2021 11:25:28 +0200 From: Oguz Bektas To: Thomas Lamprecht Cc: Proxmox VE development discussion Message-ID: <20210505092528.GA10761@gaia.proxmox.com> Mail-Followup-To: Oguz Bektas , Thomas Lamprecht , Proxmox VE development discussion References: <20210504101222.21276-1-s.ivanov@proxmox.com> <20210504112503.GA15687@gaia.proxmox.com> <4f5cc64d-199b-1943-8ca9-0ef4daf5a0c6@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4f5cc64d-199b-1943-8ca9-0ef4daf5a0c6@proxmox.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-SPAM-LEVEL: Spam detection results: 1 AWL 1.302 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Subject: Re: [pve-devel] [PATCH common/manager/http-server/docs] improve binding, docs and access-control for pveproxy/spiceproxy X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 May 2021 09:29:27 -0000 hi, > > tested the following to verify: > >> I tested it in the following scenarios: > >> * ipv6 disabled via kernel commandline (listen on 0.0.0.0) > >> * ipv6 disabled via sysctl (listen on 0.0.0.0) > >> * no settings dual-stacked (listen on *) > >> * no settings v6 only (listen on *) > >> > > and tested some scenarios also with ALLOW_FROM and LISTEN_IP. > > Please list what scenarios you actually tested, else a T-b tag is not really > telling... I mean, you said you tested the patches you send too, but obv. not in > IPv6 disable setups, so having the actual list of things here can really help. > > If unsure, check out how Dominic reports such things, those are always good, > concise but not leaving out interesting (test scenario/setup) details. > > For example, > https://lists.proxmox.com/pipermail/pve-devel/2021-March/047375.html > https://lists.proxmox.com/pipermail/pve-devel/2021-April/047827.html > i tested the /etc/default/pveproxy combined with the previously mentioned scenarios and the following settings: ---- ALLOW_FROM="127.0.0.1" DENY_FROM="all" POLICY="allow" ---- ---- LISTEN_IP="pve-dev-machine.proxmox.com" ALLOW_FROM="127.0.0.1" DENY_FROM="all" POLICY="allow" ---- 1.2.3.4 here is my workstation IP ---- LISTEN_IP="pve-dev-machine.proxmox.com" ALLOW_FROM="1.2.3.4" DENY_FROM="all" POLICY="allow" ---- ---- ALLOW_FROM="1.2.3.4" DENY_FROM="all" POLICY="allow" ---- to check i used: $ systemctl restart pvedaemon pveproxy spiceproxy $ ss -antlp | grep -E '(8006|3128)' and the result match for the scenarios that stoiko mentioned. to test ACLs from my workstation i used curl. > > > > it's also worth noting that disabling ipv6 in the commandline will > > change the access.log format to show the standard IPv4 address instead > > of the mapped v6 address. > > good note, could have been used in the new "Disabling IPv6 on the Node" docs > section Stoiko adds. > > Updating https://pve.proxmox.com/wiki/Fail2ban could help too, or did you > already check if mapped notation works there too just fine with the config > proposal from the wiki? for fail2ban i followed the wiki steps, the configuration works also for the v4 to v6 mapped addresses: $ grep 'authentication failure' /var/log/daemon.log May 5 11:17:08 pve-dev-machine pvedaemon[4120]: authentication failure; rhost=1.2.3.4 user=root@pam msg=Authentication failure May 5 11:19:08 pve-dev-machine pvedaemon[1831]: authentication failure; rhost=::ffff:1.2.3.4 user=root@pam msg=Authentication failure $ fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf ... Results ======= Failregex: 2 total |- #) [# of hits] regular expression | 1) [2] pvedaemon\[.*authentication failure; rhost= user=.* msg=.* `- all seems to work with both (dual stack) ipv6 and v4-only setups (disabled via kernel cmdline and/or sysctl), i will update the fail2ban page to mention the last test was with 6.4 cheers, oguz