Could you please post the configuration files or a link to your blog when you explain things? Thank you!
My scripts are still in development but it works for now. Feel free to modify or improve them if you wish.
Need to include this otherwise it will not work.
/etc/pf.conf
Code:
# Tables
table <fail2ban> persist file "/etc/pf.blacklist"
# Fail2ban
block in log quick on $ext_if from <fail2ban> to any
SSH - use custom pf to temporary ban and unban IP addresses.
pf-offender - IP address permanently banned after 3 temporary bans.
/usr/local/etc/fail2ban/jail.local
Code:
[DEFAULT]
bantime = 3600
findtime = 604800
maxretry = 3
[sshd]
enabled = true
filter = bsd-sshd
action = pf
logpath = /var/log/auth.log
/jails/web/var/log/auth.log
[pf-offender]
enabled = true
filter = pf-offender
action = pf-offender
logpath = /var/log/fail2ban.log
bantime = -1
Custom pf script to ban and unban IP addresses.
/usr/local/etc/fail2ban/action.d/pf.local
Code:
[Definition]
actionban = /usr/local/etc/fail2ban/scripts/pf-offender.sh add <ip>
actionunban = /usr/local/etc/fail2ban/scripts/pf-offender.sh delete <ip>
Custom script to add IP to blacklist
/usr/local/etc/fail2ban/action.d/pf-offender.local
Code:
[Definition]
actionban = /usr/local/etc/fail2ban/scripts/pf-offender.sh blacklist <ip>
This script monitors fail2ban's temporary bans from ssh, sasl, postfix, dovecot, etc.
/usr/local/etc/fail2ban/filter.d/pf-offender.local
Code:
[INCLUDES]
before = common.conf
[Definition]
_daemon = pf-offender
failregex = NOTICE \[\S*\] Ban <HOST>
ignoreregex =
This script is still in development and it works. It creates two pf blacklist files in /etc directory. Text file
pf.blacklist is used by PF to repopulate PF table after restart or reload. Another text file
pf.blacklist.txt is created for logging history of permanent banned IP addresses. The reason why I created separate blacklist file is because PF needs clean IP list to repopulate the PF table without the dates. Don't forget to
chmod +x pf-offender.sh
.
/usr/local/etc/fail2ban/scripts/pf-offender.sh
Code:
#!/bin/tcsh
set cmd = $1
set ip = $2
set file = `grep -c $ip /etc/pf.blacklist`
set table = `pfctl -t fail2ban -T show | grep -c $ip`
set date = `date +"%Y-%m-%d"`
# add temp banned ip to pf table
if ( $cmd == "add" && "$table" == "0" ) then
pfctl -t fail2ban -T add $ip
endif
# delete temp banned ip from pf table
if ( $cmd == "delete" && "$file" == "0" ) then
pfctl -t fail2ban -T delete $ip
endif
# add permanent banned ip to pf table and blacklisted file
if ( $cmd == "blacklist" && "$file" == "0" ) then
# add ip if not found in table
if ( "$table" == "0" ) then
pfctl -t fail2ban -T add $ip
endif
echo $ip >> /etc/pf.blacklist
echo $date - $ip >> /etc/pf.blacklist.txt
endif
# populate permanent banned ip to pf table from blacklist file
# this is not needed as pf uses the blacklist file
if ( $cmd == "populate" ) then
foreach line ( "`cat /etc/pf.blacklist`" )
pfctl -t fail2ban -T add $line
end
endif
Hope this helps.