PF fail2ban does not feed pf table

[Xavier Humbert]

Hello all,

I just configured fail2ban (Fail2Ban v0.10.3.fix1), it works fine for banning IPs, but that's all, the table in pf is still empty.

[root@numenor ~]# fail2ban-client status sasl
Status for the jail: sasl
|- Filter
|  |- Currently failed: 3
|  |- Total failed:     4
|  `- File list:        /var/log/maillog
`- Actions
   |- Currently banned: 9
   |- Total banned:     9
   `- Banned IP list:   191.96.249.92 191.96.249.24 191.96.249.26 191.96.249.13 45.125.66.126 191.96.249.14 191.96.249.61 185.222.209.88 93.174.93.32

But the table is still empty :

[root@numenor ~]# pfctl -t fail2ban -T show
[root@numenor ~]#

My pf.conf is quite simple :

[root@numenor ~]# cat /etc/pf.conf 
#       $FreeBSD: stable/11/share/examples/pf/pf.conf 293862 2016-01-14 01:32:17Z kevlo $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $

set skip on lo0
pass out quick all

tcp_services = "{ 2222, http, https, smtp, submission, domain }"        # 2222 is ssh
table <fail2ban> persist
#anchor "f2b/*"

block in all
block in quick from <fail2ban>
pass in quick inet proto icmp all
pass in quick inet6 proto icmp6 all
pass in proto tcp from any to any port $tcp_services
pass in proto udp from any to any port domain

anchor "f2b/*"

I googled around, and can not find any clue.

Thanks in advance for any help

Regards,

Xavier

 

[SirDice]

There's a banaction in the configuration that's set to a no-op by default. It needs to be configured to actually use PF to add the IP address to the table.

https://cmcenroe.me/2016/06/04/freebsd-pf-fail2ban.html

 

[Xavier Humbert]

Thanks for your answer, SirDice, but I just followed that very tutorial... And I have that in my config

[DEFAULT]
bantime = 86400
findtime = 3600
maxretry = 3
banaction = pf

Xavier

 

[Datapanic]

That fail2ban tutorial is based on pre 0.10 fail2ban. Things are different now.

the /usr/local/etc/fail2ban/jail.d should contain your configuration files for the jails. In those files, action = pf_[something] lines point to the appropriate action file located in /usr/local/etc/fail2ban/action.d and in those action files will be actionban = /sbin/pfctl -t <tablename> -T add <ip>/32 lines to add an IP address to an pf table. The table name is also set in the action file.

So that's the short version of what you need to do...

Edit - take a look at /usr/local/etc/fail2ban/action.d/pf.conf for the stock pf action file. pf_[something] files are my own custom files.

 

[Datapanic]

So, if you wanted to enable the bsd-sshd filter, create /usr/local/etc/fail2ban/jail.d/bsd-sshd.local and add the following:

[bsd-sshd]
enabled  = true
filter   = bsd-sshd
action   = pf
logpath  = /var/log/auth.log
findtime  = 43200
maxretry = 1
bantime  = 86400

 

[cbrace]

@Datapanic Hope I'm not being dense, but I don't see where the PF tablename is explicitly set here. Is it perhaps the name of the filter or simply the name of the action itself, ie, bsd-sshd in either case?

I've added anchor "f2b/*" to my pf.conf file, but that is not enough right?

 

[cbrace]

Ah... found the answer here:

I’d previously never had any problems with pre-0.10 releases of Fail2Ban on FreeBSD using PF. It’s was fairly straight forward. A quick table creation in PF and then a call to the “pf” action configuration and done! However, the latest 0.10.1 version is a completely different animal; utilizing PF anchors instead of a simple persistent table as well as different ban actions for the PF action configuration. I’d struggled a bit trying to get all my favorite jail configurations back into place so I decided I’d toss this out there in case anyone else ran into the same or similar issue(s).

anchor table names are created using the name of the jail (the information contained in the [] brackets on the first line (in this case, "bsd-ssh-pf")),

See: FreeBSD: Fail2Ban 0.10.1 with PF Configuration

I'm using this from that page and it seems to be working:

[DEFAULT]
banaction = pf

[bsd-ssh-pf]
enabled = true
filter = bsd-sshd
logpath = /var/log/auth.log
findtime = 600
maxretry = 3
bantime  = 86400

$ sudo tail -15 /var/log/fail2ban.log
2019-02-21 12:15:02,947 fail2ban.server         [55103]: INFO    --------------------------------------------------
2019-02-21 12:15:02,948 fail2ban.server         [55103]: INFO    Starting Fail2ban v0.10.4
2019-02-21 12:15:02,948 fail2ban.server         [55103]: INFO    Daemon started
2019-02-21 12:15:03,119 fail2ban.database       [55103]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3'
2019-02-21 12:15:03,123 fail2ban.jail           [55103]: INFO    Creating new jail 'bsd-ssh-pf'
2019-02-21 12:15:03,136 fail2ban.jail           [55103]: INFO    Jail 'bsd-ssh-pf' uses poller {}
2019-02-21 12:15:03,137 fail2ban.jail           [55103]: INFO    Initiated 'polling' backend
2019-02-21 12:15:03,210 fail2ban.filter         [55103]: INFO    Added logfile: '/var/log/auth.log' (pos = 0, hash = 4a801f065ad99e8a45ec9ae823597e2e)
2019-02-21 12:15:03,212 fail2ban.filter         [55103]: INFO      maxRetry: 3
2019-02-21 12:15:03,213 fail2ban.filter         [55103]: INFO      encoding: US-ASCII
2019-02-21 12:15:03,214 fail2ban.filter         [55103]: INFO      findtime: 600
2019-02-21 12:15:03,215 fail2ban.actions        [55103]: INFO      banTime: 86400
2019-02-21 12:15:03,229 fail2ban.jail           [55103]: INFO    Jail 'bsd-ssh-pf' started
2019-02-21 12:15:03,280 fail2ban.filter         [55103]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 12:12:22
2019-02-21 12:15:03,282 fail2ban.filter         [55103]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 12:13:35

 

[cbrace]

So, to check the IPs currently banned by the above rule, one could issue the below command:

~# pfctl -a "f2b/bsd-ssh-pf" -t f2b-bsd-ssh-pf -Ts

Hmmm... I'm not getting any output here. Should be at least one IP blocked I think...

 

[cbrace]

Not working yet. Fail2ban sees entries in the auth.log but isnt adding the IP to PF. Any ideas what is going wrong here?

2019-02-21 12:43:50,969 fail2ban.actions        [56816]: NOTICE  [bsd-ssh-pf] Ban 39.105.13.185
2019-02-21 12:49:11,725 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 12:49:11
2019-02-21 12:50:21,733 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 12:50:21
2019-02-21 13:01:49,813 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:01:49
2019-02-21 13:02:58,672 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:02:58
2019-02-21 13:14:22,322 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:14:21
2019-02-21 13:15:33,553 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:15:33
2019-02-21 13:26:43,557 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:26:43
2019-02-21 13:27:48,571 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:27:48
2019-02-21 13:39:00,426 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:39:00
2019-02-21 13:40:13,643 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:40:13
2019-02-21 13:51:48,370 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:51:48
2019-02-21 13:53:01,723 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 13:53:01
2019-02-21 14:04:40,819 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 14:04:40
2019-02-21 14:05:54,740 fail2ban.filter         [56816]: INFO    [bsd-ssh-pf] Found 39.105.13.185 - 2019-02-21 14:05:54

 

[mheppner]

Did you ever get this to work?

 

[cbrace]

Did you ever get this to work?

No I did not. The earlier version seemed reasonably intuitive. The current just seems massively over-engineered and overly complicated. So I removed it.

 

[aswell]

No I did not. The earlier version seemed reasonably intuitive. The current just seems massively over-engineered and overly complicated. So I removed it.

Agreed.

However, the missing piece was likely adding the following to /etc/pf.conf:

# Tables
table <f2b> persist

I also followed the example at the site you mentioned: https://web.archive.org/web/20230526190712/https://www.purplehat.org/?page_id=566

After reading thru the man page for pf, the fact that there was no table defined became clear.

So, for those who may be having issues getting Fail2Ban working on FreeBSD with pf, following the guide above and adding the table directive, will do the trick.

 

[dbdemon]

I think I have managed to make this work! (Although I barely know what I'm doing!)

The part that was missing for me was the anchor, as I already had the 'f2b' table in /etc/pf.conf:

table <f2b> persist
...
anchor "f2b/*"
...
block drop in log quick on $vtnet0 from <f2b> to any

My jail also has a different name - it's simply 'sshd'. But I can see IP addresses with this command:

pfctl -a "f2b/sshd" -t f2b-sshd -Ts

So, I must have done something right!