EDIT: the problem is solved
Hello,
i had used Debian at the last several years and i'm very new to FreeBSD.
I tryed to port my configuration for fail2ban from my Debian machines to FreeBSD (with the modification due the firewall has changed).
In my testing phase i have found out that the recognition works fine as under debian. My IP is under the fail2ban's internal banlist marked (`fail2ban-client status ssh` shows my IP as "currently banned").
The problem is, that i'm still not banned by pf. When i try to ban myself via `/sbin/pfctl -t fail2ban -T add <ip>` it is working fine - pf will add me to my fail2ban table (connections will be refused).
I dont understand why it won't work..
My /usr/local/etc/fail2ban/jail.local configuration is:
And my /etc/pf.conf is
My /etc/rc.conf is:
I'm sorry for my bad english (and the german comments.. just ignore them!)..
Thanks in advance!
Hello,
i had used Debian at the last several years and i'm very new to FreeBSD.
I tryed to port my configuration for fail2ban from my Debian machines to FreeBSD (with the modification due the firewall has changed).
In my testing phase i have found out that the recognition works fine as under debian. My IP is under the fail2ban's internal banlist marked (`fail2ban-client status ssh` shows my IP as "currently banned").
The problem is, that i'm still not banned by pf. When i try to ban myself via `/sbin/pfctl -t fail2ban -T add <ip>` it is working fine - pf will add me to my fail2ban table (connections will be refused).
I dont understand why it won't work..
My /usr/local/etc/fail2ban/jail.local configuration is:
Code:
[DEFAULT]
ignoreip = 127.0.0.1/8
# if 10 failures per 6 hours then ban the ip for 24 hours - that seems legit for me, i am the only sysadmin who can access to this systems
# i have in emergency cases every time access to this machines via vnc over my hostsystem
bantime = 86400
findtime = 21600
maxretry = 10
backend = auto
usedns = warn
#banaction = iptables-multiport # ported from my debian configuration - inactive
protocol = tcp
chain = INPUT
# ported from my debian configuration - inactive
#action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
#protocol="%(protocol)s", chain="%(chain)s"]
#action = %(action_)s
actionban=/sbin/pfctl -t fail2ban -T add <ip>
actionunban=/sbin/pfctl -t fail2ban -T delete <ip>
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
And my /etc/pf.conf is
Code:
# Bezeichnung vom Netzwerkinterface
ext_if="em0"
# erlaubt nur bestimmte Typen von ICMP requests
#icmp_types = "{echoreq, unreach}"
icmp_types = "echoreq"
# Blockiere alles was rein kommt
block in all
# gibt connection refused an den client zurueck anstelle ihn bis zum timeout (vom clientsystem festgelegt) warten zu lassen
block return
# aktiviert den IP spoofing Schutz fuer alle interfaces
block in quick from urpf-failed
# wendet Blockierungsmethoden an gegen IP spoofing fuers angegebene Netzwerkinterface oben
antispoof log for $ext_if
# erlaubt es, dass der server heraustelefonieren darf zb um sich updates zu holen; er darf egal mit welchem Proto hintelefonieren wohin er will
# CHANGEME wird spaeter weiter eingeschraenkt
pass out keep state
# so sieht generell eine Freigaberegel aus - hier fuer ssh
pass in quick on $ext_if inet proto tcp from any to $ext_if port 22
# icmp Freigabe eingehend
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state
#testabteilung
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
block in quick on $ext_if from <blockedips> to any
table <fail2ban> persist
block in quick on $ext_if from <fail2ban> to any
My /etc/rc.conf is:
Code:
hostname="censored"
keymap="german.iso.kbd"
ifconfig_em0="inet censored netmask 0xfffffff0"
defaultrouter="censored"
ntpd_enable="YES"
dumpdev="AUTO"
#sshd_enable=TRUE #temporary disabled until the fail2ban firewall problem is solved
pf_enable="YES"
fail2ban_enable=TRUE
I'm sorry for my bad english (and the german comments.. just ignore them!)..
Thanks in advance!
Last edited: