IPFW fail2ban with ipfw

hockey97 · Jun 5, 2015

Hi, I need some help on understanding how to implement Fail2Ban with ipfw(8).

I have Fail2Ban installed and have setup ipfw(8).

I have Apache, Postfix, Dovecot, MySQL, SSH / sftp running on my server.

With ipfw I have MySQL, SSH / sftp to only permit IP addresses from my networks only.

The logs for Apache I have separate logs for each domain and currently there's only 2 domains I use.

I don't know where dovecot and Postfix logs the login details or failures. I do know /var/log/mail.log which normally shows errors. I don't know if the login failures are logged there. I installed both using the default paths.

For Apache do I need to use Fail2Ban? or can I write code to ban IP's based on failed logins to my websites? What is Fail2Ban looking for in the Apache logs? Can it detect a potential DDoS or DoS attack?

I need some guidance since this is my first time using UNIX firewalls and first time using Fail2Ban. I need to secure my servers after about 10 failed attempts were detected to hack my servers. It came from a hacker in the U.S. and on top of that had lots of traffic coming from China.

I don't want to make a mistake configuring Fail2Ban.

junovitch@ · Jun 6, 2015

I would suggest taking a look at Fail2Ban documentation first to try to get an answer to most of your questions. For the ipfw(8) integration, there is a /usr/local/etc/fail2ban/action.d/ipfw.conf that suggest the "action = ipfw" would make it easy to insert IP's into the ban table. I've only ever used Fail2Ban with PF and it's fairly straight forward there.

hockey97 · Jun 8, 2015

junovitch said:
I would suggest taking a look at Fail2Ban documentation first to try to get an answer to most of your questions. For the ipfw(8) integration, there is a /usr/local/etc/fail2ban/action.d/ipfw.conf that suggest the "action = ipfw" would make it easy to insert IP's into the ban table. I've only ever used Fail2Ban with PF and it's fairly straight forward there.

what's the ban table? I am using webmin and used it's preinstalled scripts that setup fail2ban with ipfw. However, the logs are showing some kind of error of how the logs are not submitting an ip address to fail2ban. It's submitting some other data.

junovitch@ · Jun 8, 2015

You would have to define a table for Fail2Ban to use much like in PF. I'm not savvy with IPFW but did a few web searches and these links appear to be helpful.

https://sites.google.com/site/ghidit/how-to-2/secure-a-mail-server-running-dovecot-with-fail2ban
https://nileshgr.com/2013/04/18/securing-freebsd-server-with-fail2ban-and-ipfw

hockey97 · Jun 12, 2015

junovitch said:
You would have to define a table for Fail2Ban to use much like in PF. I'm not savvy with IPFW but did a few web searches and these links appear to be helpful.

https://sites.google.com/site/ghidit/how-to-2/secure-a-mail-server-running-dovecot-with-fail2ban
https://nileshgr.com/2013/04/18/securing-freebsd-server-with-fail2ban-and-ipfw

I have a table setup with IPFW. I added in webmin the actual command to issue to add IP's to the table.

I need to know if Fail2Ban works. What is the best way to test it? I see some errors in the Fail2Ban log.

Saying stuff like:

Code:

"
CRITICAL Unhandled exception in Fail2Ban:
Traceback (most recent call last):
"
"
/filter.py", line 923, in addr2bin
return struct.unpack("!L", socket.inet_aton(ipstring))[0]
error: illegal IP address string passed to inet_aton
"

Those are 2 separate statements after each it has a list of directory paths to py files. It spits out on what line and what function the error or problem occurs.

Remington · Jun 12, 2015

Best way to test it is to run FreeBSD with IPFW in VirtualBox or spare computer and try to login there.

That's the only way you'll know if your firewall is working correctly before you make changes to your server so you don't get locked out.

junovitch@ · Jun 13, 2015

hockey97 said:
...
I need to know if Fail2Ban works. What is the best way to test it? I see some errors in the Fail2Ban log.

I think I just untethered my phone from WiFi and logged in repeatedly over SSH until it blocked me. The VM idea is fine too and probably the more conservative approach. I just use it on my home router so I don't mind some breakage.

hockey97 said:
Saying stuff like:

Code:

" CRITICAL Unhandled exception in Fail2Ban: Traceback (most recent call last): " " /filter.py", line 923, in addr2bin return struct.unpack("!L", socket.inet_aton(ipstring))[0] error: illegal IP address string passed to inet_aton "

Those are 2 separate statements after each it has a list of directory paths to py files. It spits out on what line and what function the error or problem occurs.

That almost looks like Fail2Ban isn't getting an IP address for some reason. Is there a DNS hostname in the logs it is checking? Perhaps there is some configuration needed to ensure it uses IP addresses or perhaps Fail2Ban's filter for that particular service is using the wrong syntax. More context would be helpful.

hockey97 · Jun 13, 2015

junovitch said:
I think I just untethered my phone from WiFi and logged in repeatedly over SSH until it blocked me. The VM idea is fine too and probably the more conservative approach. I just use it on my home router so I don't mind some breakage.
[...]
That almost looks like Fail2Ban isn't getting an IP address for some reason. Is there a DNS hostname in the logs it is checking? Perhaps there is some configuration needed to ensure it uses IP addresses or perhaps Fail2Ban's filter for that particular service is using the wrong syntax. More context would be helpful.

The filters I am using are already premade by Webmin.

Here's a example of the regular expression that they use:

For webmin logins:
Look at here: https://github.com/fail2ban/fail2ban/blob/master/config/filter.d/webmin-auth.conf

Here's a bunch of the log filters:
http://s1.postimg.org/ekmpyht6n/screeny.png

The logs that it checks like for Apache, Postfix... give more detail then just failure to login. It spits out errors and warnings.

For Apache for some filters I used the http-error.log and for others I used the http-access.log.

Here's the fail2ban log:
http://s17.postimg.org/snu3diicf/screeny.png

junovitch@ · Jun 21, 2015

The filter makes sense to me. Can you manually look at the Webmin logs on your system? Is what the "from <HOST>" is matching on an IP address or a host name?

Le0nid · Dec 2, 2021

For example, add the ipfw rules file here /usr/local/etc/ipfw.rules to it to the existing rules:

# Initial setting
/bin/sh /etc/rc.firewall open

# fail2ban IPs
if ! ipfw table 1 info > /dev/null 2>&1; then
ipfw table 1 create
ipfw table 1 flush
fi
ipfw add 1 deny ip from "table(1)" to me

Setting in the config /etc/rc.conf:

firewall_enable=YES
firewall_enable="YES"
firewall_type="open"
firewall_script="/usr/local/etc/ipfw.rules"

Create an additional action.d for ipfw
/usr/local/etc/fail2ban/action.d/ipfw-table.local

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ipfw table 1 add <ip>
actionunban = ipfw table 1 delete <ip>

Create an additional configuration file jail.local by copying from the file jail.conf
/usr/local/etc/fail2ban/jail.local
We make changes to the required section, I did for sshd

# JAILS
[sshd]

enabled = true
mode = aggressive
action = ipfw-table[name=SSH,port=ssh,protocol=tcp]
logpath = /var/log/auth.log
findtime = 600
maxretry = 3
bantime = 3600

Restarting the firewall and service fail2ban.
Also I set the default action in the file jail.local to use: ipfw-table
I checked it works, although sometimes it takes 5 times from the default, and not 3 as set from the section sshd