Fail2Ban and FreeBSD

Hello,

I just installed security/py-fail2ban using pkg install py27-fail2ban. I then created /usr/local/etc/fail2ban/jail.d/ssh-pf.local with the following:
Code:
[ssh-pf]

enabled  = true
filter   = bsd-sshd
action   = pf
#          sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost]
logpath  = /var/log/auth.log
bantime  = 5400
findtime = 600
maxretry = 3

I now want to create some default setting so I vi /usr/local/etc/fail2ban/jail.local with the following setting:
Code:
[DEFAULT]
backend         = auto
bantime         = 5400
findtime        = 600
maxretry        = 5
destemail       = webmaster@me.com
ignoreip        = 127.0.0.1/8 213.146.159.xxx
logtargets      = /var/log/fail2ban.log
When renaming jail.conf to jail.local, do I loose everything that I haven't copied across from jail.conf?

Also when restarting the fail2ban service fail2ban clears the chain for the filter and parses the current log for matches, not the rotated logs. So you don't ban any IPs that were banned before logrotate rotated the old log.
will adding the following solve this problem?
/actions.d/pf.local
Code:
actionban = /sbin/pfctl -t fail2ban -T add <ip>/32 && /sbin/pfctl -k <ip> echo <ip> >> /etc/pf-files/fail2ban.pftable
Code:
table <fail2ban> counters file "/etc/pf-files/fail2ban.pftable"

Thank you
 
Last edited by a moderator:
Hi,
Could anyone please help. I'm really stuck.
When renaming jail.conf to jail.local, do I loose everything that I haven't copied across from jail.conf?

Google isn't helping much on this subject :(
 
Last edited by a moderator:
It's been a while but I don't think you're supposed to rename or copy anything. If I remember correctly you can use the *.local files to overrule settings from the *.conf files. That way your settings won't get overwritten if you reinstall or update fail2ban.
 
AFAIK, yes, you override certain keywords in the /usr/local/etc/fail2ban/jail.local . They expected to change the default behaviour for all jails.

However, whatever you put into the jail configuration -like you did above in the ssh-pf- will be taken into account per jail configuration. So, for example, if you have a default bantime of 600 , but you provide a different value in the jail config, the latter one will take effect. In my case, I have got the following in the /usr/local/etc/fail2ban/jail.d/sshd.conf :

Code:
enabled=true
port=ssh
bantime=3600
logpath = /var/log/messages

Then the bantime for that jail in question will be 3600 instead of 600. As for the rotated logs, the newer version of fail2ban , AFAIR v0.9 and above, there is wildcard support to the logpath keyword option, so that it would parse the compressed logfiles, too. See manual here.

The default current logtarget keyword setting can be easily extracted with the following command:

Code:
[root@host /usr/local/etc/fail2ban/jail.d]# fail2ban-client get logtarget
Current logging target is:
`- /var/log/fail2ban.log
[root@host /usr/local/etc/fail2ban/jail.d]#
Did you try the fail2ban-client command?

As for me, I don't care about banning old IPs that have been banned previously or have bad history. An IP can become infected only for a certain amount of time, then the malicious software may be removed and the same IP may become "clean" :)
 
Back
Top