1

Topic: Fail2Ban with FreeBSD

Anyone know say if fail2ban already works with FreeBSD?

According to the wiki still does not work ...
http://www.iredmail.org/wiki/index.php? … an#Testing

Thanks

2 (edited by remington 2013-03-27 02:48:26)

Re: Fail2Ban with FreeBSD

Fail2ban does work in FreeBSD.  You will have to tweak configs for it to work with pf firewall.

/usr/local/etc/fail2ban/jail.conf

[ssh-pf]

enabled  = true
filter   = bsd-sshd
action   = pf
logpath  = /var/log/auth.log
maxretry = 3

[ssh-ddos]

enabled  = true
filter   = sshd-ddos
action   = pf
logpath  = /var/log/auth.log
maxretry = 3

/usr/local/etc/fail2ban/action.d/pf.conf

[Definition]
actionban = pfctl -t fail2ban -T add <ip>
actionunban = pfctl -t fail2ban -T delete `pfctl -t fail2ban -T show 2>/dev/null | grep <ip>` 

[Init]
port = ssh
localhost = 127.0.0.1

/etc/pf.conf

ext_if = "em0"
table <fail2ban> persist
block in quick on $ext_if from <fail2ban> to any

/etc/rc.conf

pf_enable="YES"
pf_rules="/etc/pf.conf"
fail2ban_enable="YES"

3

Re: Fail2Ban with FreeBSD

Hi remington,

Thanks for your sharing.
I believe many users use ipfw on FreeBSD instead of PF. Do you have a working config sample for ipfw?

4

Re: Fail2Ban with FreeBSD

ZhangHuangbin wrote:

Hi remington,

Thanks for your sharing.
I believe many users use ipfw on FreeBSD instead of PF. Do you have a working config sample for ipfw?

No I do not have working sample for ipfw.  I use pf on FreeBSD and Fail2ban works with the above sample.

5

Re: Fail2Ban with FreeBSD

remington wrote:

No I do not have working sample for ipfw.  I use pf on FreeBSD and Fail2ban works with the above sample.

In the configuration file:

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

[ssh-ipfw]

enabled  = false
filter   = sshd
action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
logpath  = /var/log/auth.log
ignoreip = 168.192.0.1