[bsdftp] enabled = true filter = bsdftp action = pf logpath = /var/log/auth.log bantime = 1800 findtime = 1800 maxretry = 5
Reaction score: 9,783
Reaction score: 791
I use fail2ban extensively with PF to block SSH, SASL, Dovecot, and Postfix brute-force and DoS attacks. I also have custom-made scripts to log all permanent banned IP addresses so PF can reload the blacklist when restarted. It works very well. I plan to add Nginx to block scanners, spiders or requests for sensitive or missing files.
Need to be careful about http as http requests could be legitimate. You can limit concurrent connections to single IP address via PF or Nginx config to block http DoS attacks. Once that concurrent connection reaches its max then you can permanent ban that IP address.
BTW, my next goal: multiple actions for a given jail.d entry. Anyone done that? e.g. if something is doing nasty stuff on the website, block them from both http and ssh.
block drop in log quick on $wan_ifs from <fail2ban> to any
... I also have custom-made scripts to log all permanent banned IP addresses so PF can reload the blacklist when restarted. ...
Could you please post the configuration files or a link to your blog when you explain things? Thank you!
# Tables table <fail2ban> persist file "/etc/pf.blacklist" # Fail2ban block in log quick on $ext_if from <fail2ban> to any
[DEFAULT] bantime = 3600 findtime = 604800 maxretry = 3 [sshd] enabled = true filter = bsd-sshd action = pf logpath = /var/log/auth.log /jails/web/var/log/auth.log [pf-offender] enabled = true filter = pf-offender action = pf-offender logpath = /var/log/fail2ban.log bantime = -1
[Definition] actionban = /usr/local/etc/fail2ban/scripts/pf-offender.sh add <ip> actionunban = /usr/local/etc/fail2ban/scripts/pf-offender.sh delete <ip>
[Definition] actionban = /usr/local/etc/fail2ban/scripts/pf-offender.sh blacklist <ip>
[INCLUDES] before = common.conf [Definition] _daemon = pf-offender failregex = NOTICE \[\S*\] Ban <HOST> ignoreregex =
chmod +x pf-offender.sh.
#!/bin/tcsh set cmd = $1 set ip = $2 set file = `grep -c $ip /etc/pf.blacklist` set table = `pfctl -t fail2ban -T show | grep -c $ip` set date = `date +"%Y-%m-%d"` # add temp banned ip to pf table if ( $cmd == "add" && "$table" == "0" ) then pfctl -t fail2ban -T add $ip endif # delete temp banned ip from pf table if ( $cmd == "delete" && "$file" == "0" ) then pfctl -t fail2ban -T delete $ip endif # add permanent banned ip to pf table and blacklisted file if ( $cmd == "blacklist" && "$file" == "0" ) then # add ip if not found in table if ( "$table" == "0" ) then pfctl -t fail2ban -T add $ip endif echo $ip >> /etc/pf.blacklist echo $date - $ip >> /etc/pf.blacklist.txt endif # populate permanent banned ip to pf table from blacklist file # this is not needed as pf uses the blacklist file if ( $cmd == "populate" ) then foreach line ( "`cat /etc/pf.blacklist`" ) pfctl -t fail2ban -T add $line end endif
For this in particular, security/py-fail2ban gained support for using a SQLite database for persistent storage of banned addresses. I just checked the Freshports change log and that was introduced in the 0.9.0 update in May of 2014. So you may be able to save some effort not duplicating that functionality with a custom script.
Reaction score: 44