Hello all.
I use fail2ban to block some ssh scripts from polluting my log files, and this works like advertised.
Now I want to block IP addresses that try to log in on my owncloud server.
Everything works, the IP address is in the fail2ban table after the x login attempts.
The only thing is that the connection is not being closed. So the webpage is still accessable from the blocked IP address! I think it has something to do with the state of the connection.
My pf.conf:
After the login failures the fail2ban table shows me the IP address.
But the site is still available. If I restart the PC of the client I can not reconnect hence the state is not there anymore.
How can I make pf block traffic to the IP address.
Regards.
I use fail2ban to block some ssh scripts from polluting my log files, and this works like advertised.
Now I want to block IP addresses that try to log in on my owncloud server.
Everything works, the IP address is in the fail2ban table after the x login attempts.
The only thing is that the connection is not being closed. So the webpage is still accessable from the blocked IP address! I think it has something to do with the state of the connection.
My pf.conf:
Code:
---- Set interface
ext_if="em0"
# ---- Tables
table <trusted> persist file "/etc/pf-trusted.conf"
table <fail2ban> persist
# ---- Set some types
icmp_types = "echoreq"
junk_ports = "{ 135,137,138,139,445,68,67,3222 }"
smtp_servers = "{ 1.2.3.4 }"
broken = "{ 224.0.0.22 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32 }"
# ---- some defaults
set block-policy drop
set skip on lo0
scrub in all no-df max-mss 1440
block in all
pass out quick on $ext_if inet keep state
antispoof quick for ($ext_if) inet
# ---- Block ipv6 traffic
block out quick inet6 all
block in quick inet6 all
# ---- Block junk logs
block quick proto { tcp, udp } from any to any port $junk_ports
# ---- Block private adresses
block in quick from { $broken urpf-failed no-route } to any
block out quick on $ext_if from any to { $broken no-route }
# ---- Block Ip adresses added by fail2ban
block in quick proto tcp from <fail2ban> to any
# ---- Allow incoming Web traffic
pass in on $ext_if proto tcp from any to any port { 80, 443 } flags S/SA synproxy state
# ---- Allow SSH
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/5, overload <fail2ban> flush)
pass inet proto icmp icmp-type echoreq
# ---- block SMTP out
pass quick proto tcp from $int_if to $smtp_servers port 25
block quick proto tcp from $int_if to any port 25
After the login failures the fail2ban table shows me the IP address.
Code:
root@oc:~ # pfctl -t fail2ban -Ts
No ALTQ support in kernel
ALTQ related functions disabled
9x.7x.1xx.1xx
root@oc:~ #
But the site is still available. If I restart the PC of the client I can not reconnect hence the state is not there anymore.
How can I make pf block traffic to the IP address.
Regards.