1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PF not working on FreeBSD 8.2?

Discussion in 'Firewalls' started by bloodhound, Mar 31, 2011.

  1. bloodhound

    bloodhound New Member

    Messages:
    34
    Likes Received:
    0
    Hi. I have some problems with pf. It is not filtering anything!

    Basically what I've done:

    in /boot/loader.conf:
    Code:
    pf_load="YES"
    pflog_load="YES"
    
    in /etc/rc.conf:
    Code:
    pf_enable="YES"
    pflog_enable="YES"
    pf_rules="/etc/pf.conf"
    pflog_enable="YES"
    pflog_logfile="/var/log/pflog"
    
    I added this to /etc/pf.conf:

    Code:
    ext_if="em0"
    table <fail2ban> persist "/etc/pf.table.fail2ban"
    block in quick on $ext_if from <fail2ban> to any
    
    I have installed fail2ban, but at this point I don't see it parsing anything like /var/log/auth.log. Tried logging int xxxx times with wrong users/pass but nothing.

    In any case I added that ip 192.168.2.60 with
    Code:
    smtpgw# pfctl -t fail2ban -T add 192.168.2.60
    No ALTQ support in kernel
    ALTQ related functions disabled
    1/1 addresses added.
    
    Still I can do anything I want from 192.168.2.60.

    I even tried a
    Code:
    block in all
    in pf.conf and nothing gets filtered.

    Any tips? Cause I used pf a lot on FreeBSD 7 and it worked like a charm.
     
  2. quintessence

    quintessence New Member

    Messages:
    183
    Likes Received:
    0
    Hello,

    Code:
    table <fail2ban> persist [B]file[/B] "/etc/pf.table.fail2ban"
    is the correct rule.
    Probably your firewall rules are not loaded and PF is not started due to syntax error.

    You can check the syntax with:
    # pfctl -nf /etc/pf.conf

    and the status with:
    # pfctl -si | head -n1
     
  3. bloodhound

    bloodhound New Member

    Messages:
    34
    Likes Received:
    0
    I had a wrong statement in my pf.conf, but still it seams that fail2ban is not working. It is not doing anything, I think it is not reading the auth.log file. I tried connecting with a wrong pass like 10 times. In auth.log I get :

    Code:
    Apr  1 16:23:41 smtpgw su: radu to root on /dev/pts/0
    Apr  1 16:26:36 smtpgw sshd[17177]: error: PAM: authentication error for root from 192.168.2.60
    Apr  1 16:26:37 smtpgw last message repeated 2 times
    Apr  1 16:26:40 smtpgw sshd[17182]: error: PAM: authentication error for root from 192.168.2.60
    Apr  1 16:26:42 smtpgw last message repeated 2 times
    Apr  1 16:26:45 smtpgw sshd[17187]: error: PAM: authentication error for root from 192.168.2.60
    Apr  1 16:26:47 smtpgw last message repeated 2 times
    Apr  1 16:26:50 smtpgw sshd[17192]: error: PAM: authentication error for root from 192.168.2.60
    Apr  1 16:26:53 smtpgw last message repeated 2 times
    Apr  1 16:26:57 smtpgw sshd[17197]: error: PAM: authentication error for root from 192.168.2.60
    Apr  1 16:26:59 smtpgw last message repeated 2 times
    Apr  1 16:27:03 smtpgw sshd[17202]: error: PAM: authentication error for root from 192.168.2.60
    Apr  1 16:27:05 smtpgw last message repeated 2 times
    Apr  1 16:27:08 smtpgw sshd[17209]: error: PAM: authentication error for root from 192.168.2.60
    Apr  1 16:27:10 smtpgw last message repeated 2 times
    But the address does not get banned.

    My fail2ban config:

    jail.conf:
    Code:
    [DEFAULT]
    backend         = auto
    # bantime of -1 means forever, otherwise insert a time period in seconds
    bantime = 600
    # time span for which to increment the counter for login failures, 604800 seconds equals 1 week
    findtime        = 604800
    maxretry        = 5
    # replace by the email address to which you'd like to get notes
    destemail       = <radu.negrut@hostlogiclive.com>
    # replace by your own IP addresses you do not want fail2ban to apply to, CIDR format possible too
    ignoreip        = 127.0.0.1 10.124.175.5
    logtargets      = /var/log/fail2ban.log
    
    [ssh-pf]
    # this .fail2ban-jail. is switched on and it combines the filter.d/sshd.conf with action.d/pf.conf
    enabled = true
    filter          = sshd
    action          = pf
    logpath = /var/log/auth.log
    maxretry        = 5
    
    [ssh-ddos]
    # this .fail2ban-jail. is switched on and it combines the filter.d/sshd-ddos.conf with action.d/pf.conf
    enabled = true
    filter          = sshd-ddos
    action          = pf
    logpath = /var/log/auth.log
    maxretry        = 3
    
    action/pf.conf:
    
    [Definition]
    actionstart     =
    actionstop      =
    actioncheck     =
    actionban       = pfctl -t fail2ban -T add <ip>
    actionunban     = pfctl -t fail2ban -T delete `pfctl -t fail2ban -T show 2>/dev/null | grep <ip>`
    
    [Init]
    port            = ssh
    localhost       = 127.0.0.1
    
    Any tips?
     
  4. DutchDaemon

    DutchDaemon Administrator Staff Member Administrator Moderator

    Messages:
    10,660
    Likes Received:
    22
  5. da1

    da1 Member

    Messages:
    756
    Likes Received:
    0
    Even if the following is not a direct solution to your problem, it is an alternative.
    After several failed attempts @ fails2ban and other similar software, I decided to do it my way:
    Code:
    #!/bin/sh
    
    #set -x
    
    . /root/scripts/util/library.sh
    
    ftpguard="/etc/ftpguard.pf"
    table="ftpguard"
    
    
    if [ ! -e $ftpguard ]
    then
    echo "$ftpguard does not exist. Exiting ..."
    exit 1
    fi
    
    
    # Get all IP's that try to hijack the FTP port
    if [ -z "$1" ];then
            echo "Usage: grep_ip_from_file <file_name>"
    else
            $grep "\[ERROR\]\ Too\ many\ authentication\ failures" $1 | $awk '{print $6}' | $grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\
    .[0-9]\{1,3\}'| $uniq | while read IP
                    do
                       for i in $IP;
                                    do
                                       if [ "$i" != "`$grep $i $ftpguard`" ];
                                    then
                                       echo $i >> $ftpguard
                                       $pfctl -t $table -T add $i
                                    fi
                                    done
                    done
    fi
    /root/scripts/util/library.sh contains:
    Code:
    dig="/usr/bin/dig"                                        # Full path to: dig
    if [ ! -f $dig ];then
    echo "Cannot find $dig executable in the mentioned path. Pls adjust the path in the script ..."
    echo "Exiting ..."
    exit 1
    fi
    
    grep="/usr/bin/grep"                                            # Full path to: grep
    if [ ! -f $grep ];then
    echo "Cannot find $grep executable in the mentioned path. Pls adjust the path in the script ..."
    echo "Exiting ..."
    exit 1
    fi
    
    awk="/usr/bin/awk"                                              # Full path to: awk
    if [ ! -f $awk ];then
    echo "Cannot find $awk executable in the mentioned path. Pls adjust the path in the script ..."
    echo "Exiting ..."
    exit 1
    fi
    
    I run it from crontab every 10 minutes.
    The script can easily be modified to do what you require.

    PS: This script is configured for working with pure-ftpd failed login attempts.