Project

General

Profile

Support #564

Updated by Daniel Curtis almost 10 years ago

Fail2ban scans log files and bans IPs that show the malicious signs like too many password failures, seeking for exploits, and such. It can be useful to ban bots who try to bruteforce your ssh and flood your logs (another solution is to restrict allowed IP or change sshd port). This is a simple guide on setting up fail2ban on FreeBSD, in combination with pf. 

 * Install py27-fail2ban: 
 <pre> 
 pkg install py27-fail2ban ipfw 
 </pre> 

 * Start and enable ipfw at boot: 
 <pre> 
 echo 'firewall_enable="YES"' >> /etc/rc.conf 
 echo 'firewall_script="/usr/local/etc/ipfw.rules"' >> /etc/rc.conf 
 service ipfw start 
 </pre> 

 * Then create the ssh-pf.local file  
 <pre> 
 vi /usr/local/etc/fail2ban/jail.d/ssh-pf.local 
 </pre> 
 #* And add the following 
 <pre> 
 [ssh-ipfw] [ssh-pf] 
 enabled    = true 
 filter     = sshd 
 action     = ipfw pf 
 #            sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost] 
 logpath    = /var/log/auth.log 
 findtime    = 600 
 maxretry = 3 
 bantime    = 3600 
 </pre> 

 * Edit the ipfw action file: You can of course configure maxretry/bantime/findtime or sending mails: 
 <pre> 
 vi /usr/local/etc/fail2ban/action.d/ipfw.conf [Definition] 
 actionstart =  
 actionstop =  
 actioncheck =  
 actionban = /sbin/pfctl -t <tablename> -T add <ip>/32 
 actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32 
 [Init] 
 tablename = fail2ban 
 </pre> 
 #* And modify the localhost parameter 

 When 'action' is triggered, fail2ban will launch @pfctl -t -T add /32@ to add it to pf table 'fail2ban'. 

 * In /etc/pf.conf (blank by default, adapt it if you already have pf rules), you need to add a rule to block all IPs in the IP address of the server: fail2ban table, for example : 
 <pre> 
 localhost = 192.168.1.100 ext_if="re0" # your interface !  
 table <fail2ban> persist 
 block quick proto tcp from <fail2ban> to $ext_if port ssh 
 </pre> 

 * Now start and enable pf at boot: 
 <pre> 
 echo 'pf_enable="YES"' >> /etc/rc.conf 
 service pf start 
 </pre> 

 * Start and enable fail2ban at boot: 
 <pre> 
 echo 'fail2ban_enable="YES"' >> /etc/rc.conf 
 service fail2ban start onestart 
 </pre> 

 Now you can look in @/var/log/fail2ban.log@ to see detected IP and applied ban. 

 * To list current banned IP: 
 <pre> 
 pfctl -t fail2ban -T show 
 </pre> 

 h2. Resources 

 * http://blog.alteroot.org/articles/2014-06-14/fail2ban-on-freebsd.html 
 * https://nileshgr.com/2013/04/18/securing-freebsd-server-with-fail2ban-and-ipfw 
 * https://anonymous-proxy-servers.net/wiki/index.php/FreeBSD_SSH_port_security_3#Setting_up_fail2ban

Back