How stop brute force passwords

VladiBG said:
yes there's
security/py-fail2ban/
Click to expand...
The thing is that I installed the system from packages
pkg install fail2ban
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to re-create database
Fetching meta.conf: 100% 178 B 0.2kB/s 00:01
Fetching data.pkg: 100% 7 MiB 2.3MB/s 00:03
Processing entries: 100%
FreeBSD repository update completed. 33387 packages processed.
All repositories are up to date.
pkg: No packages available to install matching 'fail2ban' have been found in the repositories
 
Nowadays there shouldn't be any inetd service accessible from the internet... what exactly are you running via inetd?


RE fail2ban: the package isn't named "fail2ban" - see the ports page on freshports.org or do a pkg search.
For a native solution see blacklistd(8).
 
Sorry I don't speak English that's why i post the link to the freshports.
Anyway to be able to use fail2ban you also need a firewall with a table (ipfw) or anchor (pf) which will hold the blocked ip addresses. The best result will be to rate limit the number of login attempts per source ip address combined with fail2ban monitoring of the log files.
Here's the quote from the freshports:

To install the port:

d /usr/ports/security/py-fail2ban/ && make install clean

To add the package, run one of these commands:
  • pkg install security/py-fail2ban
  • pkg install py39-fail2ban
NOTE: If this package has multiple flavors (see below), then use one of them instead of the name specified above.
NOTE: This is a Python port. Instead of py39-fail2ban listed in the above command, you can pick from the names under the Packages section.
Click to expand...

example:

#!/bin/sh
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
fwcmd="ipfw -q add"
cat /usr/local/etc/ipfw.table1 | xargs -n1 ipfw table 1 add

# Loopback address
$fwcmd 100 allow ip from any to any via lo0
$fwcmd 200 deny ip from any to 127.0.0.0/8
$fwcmd 300 deny ip from 127.0.0.0/8 to any
$fwcmd 400 deny ip from any to ::1
$fwcmd 500 deny ip from ::1 to any

# Deny table 1 list of ip addresses for fail2ban
$fwcmd 550 deny tcp from 'table(1)' to any

# ipv6 ND DAD
$fwcmd 600 allow ipv6-icmp from :: to ff02::/16

# ipv6 RS, RA, NS, NA, redirect
$fwcmd 700 allow ipv6-icmp from fe80::/10 to fe80::/10
$fwcmd 800 allow ipv6-icmp from fe80::/10 to ff02::/16

# Allow ICMPv6 destination unreachable
$fwcmd 900 allow ipv6-icmp from any to any ip6 icmp6types 1

# Allow NS/NA/toobig (don't filter it out)
$fwcmd 1000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136

# Allow packets for which a state has been build
$fwcmd 1100 check-state

# For services permitted below
$fwcmd 1200 allow tcp from me to any established

# Allow any connection out, adding state for each
$fwcmd 1300 allow tcp from me to any setup keep-state
$fwcmd 1400 allow udp from me to any keep-state
$fwcmd 1500 allow icmp from me to any keep-state
$fwcmd 1600 allow ipv6-icmp from me to any keep-state

# Allow DHCP
$fwcmd 1700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
$fwcmd 1800 allow udp from any 67 to me dst-port 68 in
$fwcmd 1900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
$fwcmd 2000 allow udp from fe80::/10 to me dst-port 546 in

# ICMP echo8,DestUnreacable3,SourcheQuench4,TimeExceeded11
$fwcmd 2100 allow icmp from any to any icmptypes 8
$fwcmd 2200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
$fwcmd 2300 allow icmp from any to any icmptypes 3,4,11
$fwcmd 2400 allow ipv6-icmp from any to any ip6 icmp6types 3

# MyServices Accept and log ssh on 2222
$fwcmd 2510 allow tcp from 192.0.2.0/24 to me dst-port 2222 setup limit src-addr 2

$fwcmd 2600 allow tcp from any to me dst-port 80 in via $vif setup limit src-addr 10
$fwcmd 2610 allow tcp from any to me dst-port 443 in via $vif setup limit src-addr 10
# Accounting
$fwcmd 65000 count ip from any to any
Click to expand...
 
kerogaz said:
The thing is that I installed the system from packages
pkg install fail2bansec
Click to expand...
Pay attention to the package names. It's py311-fail2ban (because Python 3.11 is the default). Or use the origin; pkg install security/py-fail2ban
 
There's also sshguard, someone wrote a nice tutorial on these forums. A little outdated, but I remember posting an update to OP's tutorial

forums.freebsd.org

HOWTO: Set up and configure security/sshguard-pf

This short HOWTO explains how to set up and configure the security/sshguard-pf port to provide extra protection against port knockers and such. The HOWTO is written for pf because that is the firewall software I use personally. I'm assuming that pf has already been set up and running, please...
forums.freebsd.org forums.freebsd.org

There are updates at the end of the thread.
 
Just use the port origin instead of the actual package name. pkg install security/py-fail2ban
 
It won't stop the DDoS from happening, you still get a whole bunch of connection requests.
 
Thank you very much. I worked with fail2ban on CentOS for a long time, and now I will try on FreeBSD.
 
hasbeen said:
So what is the best safeguarding solution for DDoS?
Click to expand...
Have a talk with your provider. Your connection is like a funnel, the firewall is the plug at the bottom of that funnel. When you pour water in at the top of that funnel it's going to overflow at some point, doesn't matter if you plug the bottom. You need to stop the water being poured in at the top. And you have no control there.
 
SirDice said:
Have a talk with your provider. Your connection is like a funnel, the firewall is the plug at the bottom of that funnel. When you pour water in at the top of that funnel it's going to overflow at some point, doesn't matter if you plug the bottom. You need to stop the water being poured in at the top. And you have no control there.
Click to expand...
My provider would not discuss or care who or what floods my IP(s), when they let me play my own TCP/IP service(s). Though, I have a router that has DDoS protection option, so I have to talk to my router's manufaturer how they keep the funnel from overflowing :)
 
Problem
fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
fail2ban-client status sshd
2024-08-13 21:47:39,859 fail2ban [4435]: ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist
 
Not enough info.
What do you have in /usr/local/etc/fail2ban/jail.local

[DEFAULT]
action = bsd-ipfw
bantime = 2592000
ignoreip = 127.0.0.1/8, 192.0.2.0/29
maxretry = 3

[sshd]
enabled = true
filter = bsd-sshd
Click to expand...
 
I understand that in this block it was necessary to enable jail:
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = true
But after this :
service fail2ban start
2024-08-13 22:36:35,586 fail2ban [4696]: ERROR Failed during configuration: Have not found any log file for selinux-ssh jail
 
Why on jail.conf 2 blocks [DEFAULT]?
# [DEFAULT]
# bantime = 1h
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information



# Comments: use '#' for comment lines and ';' (following a space) for inline comments


[INCLUDES]

#before = paths-distro.conf
before = paths-freebsd.conf
[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
#bantime.increment = true

# "bantime.rndtime" is the max number of seconds using for mixing with random time
 
You must log in or register to reply here.
Back
Top