Support #564
Updated by Daniel Curtis almost 10 years ago
Fail2ban scans log files and bans IPs that show the malicious signs like too many password failures, seeking for exploits, and such. It can be useful to ban bots who try to bruteforce your ssh and flood your logs (another solution is to restrict allowed IP or change sshd port). This is a simple guide on setting up fail2ban on FreeBSD, in combination with pf. * Install py27-fail2ban: <pre> pkg install py27-fail2ban ipfw </pre> * Start and enable ipfw at boot: <pre> echo 'firewall_enable="YES"' >> /etc/rc.conf echo 'firewall_script="/usr/local/etc/ipfw.rules"' >> /etc/rc.conf service ipfw start </pre> * Then create the ssh-pf.local file <pre> vi /usr/local/etc/fail2ban/jail.d/ssh-pf.local </pre> #* And add the following <pre> [ssh-ipfw] [ssh-pf] enabled = true filter = sshd action = ipfw pf # sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost] logpath = /var/log/auth.log findtime = 600 maxretry = 3 bantime = 3600 </pre> * Edit the ipfw action file: You can of course configure maxretry/bantime/findtime or sending mails: <pre> vi /usr/local/etc/fail2ban/action.d/ipfw.conf [Definition] actionstart = actionstop = actioncheck = actionban = /sbin/pfctl -t <tablename> -T add <ip>/32 actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32 [Init] tablename = fail2ban </pre> #* And modify the localhost parameter When 'action' is triggered, fail2ban will launch @pfctl -t -T add /32@ to add it to pf table 'fail2ban'. * In /etc/pf.conf (blank by default, adapt it if you already have pf rules), you need to add a rule to block all IPs in the IP address of the server: fail2ban table, for example : <pre> localhost = 192.168.1.100 ext_if="re0" # your interface ! table <fail2ban> persist block quick proto tcp from <fail2ban> to $ext_if port ssh </pre> * Now start and enable pf at boot: <pre> echo 'pf_enable="YES"' >> /etc/rc.conf service pf start </pre> * Start and enable fail2ban at boot: <pre> echo 'fail2ban_enable="YES"' >> /etc/rc.conf service fail2ban start onestart </pre> Now you can look in @/var/log/fail2ban.log@ to see detected IP and applied ban. * To list current banned IP: <pre> pfctl -t fail2ban -T show </pre> h2. Resources * http://blog.alteroot.org/articles/2014-06-14/fail2ban-on-freebsd.html * https://nileshgr.com/2013/04/18/securing-freebsd-server-with-fail2ban-and-ipfw * https://anonymous-proxy-servers.net/wiki/index.php/FreeBSD_SSH_port_security_3#Setting_up_fail2ban