Project

General

Profile

Support #564

Updated by Daniel Curtis almost 10 years ago

{{>toc}} 

 Fail2ban scans log files and bans IPs that show the malicious signs like too many password failures, seeking for exploits, and such. It can be useful to ban bots who try to bruteforce your ssh and flood your logs (another solution is to restrict allowed IP or change sshd port). This is a simple guide on setting up fail2ban on FreeBSD, in combination with pf. 

 h2. Install IPFW 

 * Install ipfw: 
 <pre> 
 pkg install ipfw 
 </pre> 

 h3. Configure IPFW 

 * Start and enable ipfw at boot: 
 <pre> 
 echo 'firewall_enable="YES"' >> /etc/rc.conf 
 echo 'firewall_script="/usr/local/etc/ipfw.rules"' >> /etc/rc.conf 
 service ipfw start 
 </pre> 

 h2. Install Fail2ban 

 * Install py27-fail2ban 
 <pre> 
 pkg install py27-fail2ban 
 </pre> 

 * Then create the ssh-ipfw.local file  
 <pre> 
 vi /usr/local/etc/fail2ban/jail.d/ssh-ipfw.local 
 </pre> 
 #* And add the following 
 <pre> 
 [ssh-ipfw] 
 enabled    = true 
 filter     = sshd 
 action     = ipfw 
 #            sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost] 
 logpath    = /var/log/auth.log 
 findtime    = 600 
 maxretry = 3 
 bantime    = 3600 
 </pre> 

 * Edit the ipfw action file: 
 <pre> 
 vi /usr/local/etc/fail2ban/action.d/ipfw.conf 
 </pre> 
 #* And modify the localhost parameter to the IP address of the server: 
 <pre> 
 localhost = 192.168.1.100 
 </pre> 

 * Start and enable fail2ban at boot: 
 <pre> 
 echo 'fail2ban_enable="YES"' >> /etc/rc.conf 
 service fail2ban start 
 </pre> 

 Now you can look in @/var/log/fail2ban.log@ to see detected IP and applied ban. 

 * To list current banned IP: 
 <pre> 
 ipfw list 
 </pre> 

 h2. (Extra) Securing Web Apps With Fail2ban 

 --- 

 h3. ownCloud 

 This example uses the owncloud package available from the ports tree.  

 * Create the owncloud filter definition for fail2ban 
 <pre> 
 /usr/local/etc/fail2ban/filter.d/owncloud.conf 
 </pre> 
 #* And add the following 
 <pre> 
 [Definition] 
 failregex={"app":"core","message":"Login failed: user '.*' , wrong password, IP:<HOST>","level":2,"time":".*"} 
           {"app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>', X-Forwarded-For: '.*'\)","level":2,"time":".*"} 
           {"reqId":".*","remoteAddr":"<HOST>","app":"core","message":"Login failed: .*","level":2,"time":".*"} 
 </pre> 

 The first line is for owncloud <= 7.0.1. The second for owncloud 7.0.2-7.05 and the bottom one for owncloud 8. 

 * Create the owncloud service definition: 
 <pre> 
 vi /usr/local/etc/fail2ban/jail.d/owncloud-auth.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 [owncloud] 
 enabled = true 
 filter    = owncloud 
 port      = http,https 
 logpath = /usr/local/www/owncloud/data/owncloud.log 
 </pre> 

 Now restart fail2ban and try to log in 4 times with a wrong password. The 4th attempt should give you a timeout for 15min. 

 --- 

 h3. Redmine 

 This example uses the redmine package available from the ports tree.  

 * Create the redmine filter definition for fail2ban 
 <pre> 
 /usr/local/etc/fail2ban/filter.d/redmine.conf 
 </pre> 
 #* And add the following 
 <pre> 
 [Definition] 
 failregex = Failed [-/\w]+ for .* from <HOST> 
 </pre> 

 * Create the redmine service definition: 
 <pre> 
 vi /usr/local/etc/fail2ban/jail.d/redmine-auth.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 [redmine] 
 enabled = true 
 filter    = redmine 
 port      = http,https 
 logpath = /usr/local/www/redmine/log/production.log 
 </pre> 

 Now restart fail2ban and try to log in 4 times with a wrong password. The 4th attempt should give you a timeout for 15min. 

 --- 

 h3. Piwik 

 This example uses the piwik package available from the ports tree.  

 * Create the piwik filter definition for fail2ban 
 <pre> 
 /usr/local/etc/fail2ban/filter.d/piwik.conf 
 </pre> 
 #* And add the following 
 <pre> 
 [Definition] 
 failregex = ^<HOST> -.*"POST / 
 ignoreregex = 
 </pre> 

 * Create the piwik service definition: 
 <pre> 
 vi /usr/local/etc/fail2ban/jail.d/piwik-auth.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 [piwik] 
 enabled = true 
 filter    = piwik 
 port      = http,https 
 logpath = /var/log/apache-piwik.log 
 </pre> 

 Now restart fail2ban and try to log in 4 times with a wrong password. The 4th attempt should give you a timeout for 15min. 

 --- 

 h2. Resources 

 * http://blog.alteroot.org/articles/2014-06-14/fail2ban-on-freebsd.html 
 * https://nileshgr.com/2013/04/18/securing-freebsd-server-with-fail2ban-and-ipfw 
 * https://anonymous-proxy-servers.net/wiki/index.php/FreeBSD_SSH_port_security_3#Setting_up_fail2ban 
 * http://www.rojtberg.net/711/secure-owncloud-server/

Back