Solved PF and fail2ban

S

Sylhouette

Hello all.

I use fail2ban to block some ssh scripts from polluting my log files, and this works like advertised.

Now I want to block IP addresses that try to log in on my owncloud server.
Everything works, the IP address is in the fail2ban table after the x login attempts.

The only thing is that the connection is not being closed. So the webpage is still accessable from the blocked IP address! I think it has something to do with the state of the connection.

My pf.conf:
Code: 
---- Set interface
ext_if="em0"

# ---- Tables
table <trusted> persist file "/etc/pf-trusted.conf"
table <fail2ban> persist

# ---- Set some types
icmp_types = "echoreq"
junk_ports = "{ 135,137,138,139,445,68,67,3222 }"
smtp_servers = "{ 1.2.3.4 }"
broken = "{ 224.0.0.22 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
        10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
        192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
        169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32 }"

# ---- some defaults
set block-policy drop
set skip on lo0
scrub in all no-df max-mss 1440
block in all
pass out quick on $ext_if inet keep state
antispoof quick for ($ext_if) inet

# ---- Block ipv6 traffic
block out quick inet6 all
block in quick inet6 all

# ---- Block junk logs
block quick proto { tcp, udp } from any to any port $junk_ports

# ---- Block private adresses
block in quick from { $broken urpf-failed no-route } to any
block out quick on $ext_if from any to { $broken no-route }

# ---- Block Ip adresses added by fail2ban
block in quick proto tcp from <fail2ban> to any

# ---- Allow incoming Web traffic
pass in on $ext_if proto tcp from any to any port { 80, 443 } flags S/SA synproxy state

# ---- Allow SSH
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/5, overload <fail2ban> flush)
pass inet proto icmp icmp-type echoreq

# ---- block SMTP out
pass quick proto tcp from $int_if to $smtp_servers port 25
block quick proto tcp from $int_if to any port 25

After the login failures the fail2ban table shows me the IP address.

Code: 
root@oc:~ # pfctl -t fail2ban -Ts
No ALTQ support in kernel
ALTQ related functions disabled
   9x.7x.1xx.1xx
root@oc:~ #

But the site is still available. If I restart the PC of the client I can not reconnect hence the state is not there anymore.

How can I make pf block traffic to the IP address.

Regards.
 
I think that you are right, the firewall does not block the connection because the state is already there. I am not very familiar with fail2ban but if it could send a command after adding the IP address to the table, then you could manually kill the state by pfctl -k host.
 
Thanks gkontos I will try this and post back if it works.


It works

Adding the pfctl -k <ip address> command works.
So my actions.d/pf.local looks like this (relevant part)

Code: 
actionban = /sbin/pfctl -t fail2ban -T add <ip>/32 && /sbin/pfctl -k <ip>
 
Last edited by a moderator:
This is something that needs to be patched on sshguard-pf as well. Without adding -k, an existing session can continue to do bad things.
 
  • Thanks
Reactions: Oko
You must log in or register to reply here.
Back
Top