IPFW IPFW and Fail2Ban on FreeBSD 11.0

oz42

oz42

I cannot get fail2ban to work. The logs are looking okay, but it simply does not block ssh logins.

Any ideas?

fail2ban.local:
Code: 
[Definition]
loglevel = DEBUG
dbpurgeage = 2592000

jail.local:
Code: 
[DEFAULT]
action = %(action_mwl)s
# -- 3 Tage:
bantime = 259200
destemail = root
sender = root
mta = mail
findtime  = 600
maxretry = 2
ignoreip = 127.0.0.1 10.2.3.4

[bsd-sshd]
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
banaction = bsd-ipfw
# action = bsd-ipfw[table=1]
blocktype = deny
 
Jails cannot change their network settings, including the firewall. You'll need to run fail2ban on the host.
 
Perhaps I was not clear. fail2ban runs fine, but it just fails to add banned IP addresses to my ipfw table 1.
 
Yes, but the firewall runs on the host, not the jail. So applications running inside a jail do not have access to it.
 
Sorry, but I do not get what you mean with jails. fail2ban runs as root and has full access. No BSD jails here.

Fact is: a similar setup on Linux runs fine with a "iptables -A INPUT <bad_ip> ..." but a similar "ipfw table 1 add <bad_ip>" does not happen. Table 1 is always empty.

So the question is why fail2ban does not detect ssh logins. When I try to force a bad ssh login, it logs:

Code: 
2016-11-21 09:51:27,472 fail2ban.filtergamin    [10822]: DEBUG   Got event: 1 for /var/log/auth.log
2016-11-21 09:51:27,472 fail2ban.filtergamin    [10822]: DEBUG   File changed: /var/log/auth.log
2016-11-21 09:51:27,473 fail2ban.datedetector   [10822]: DEBUG   Matched time template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2016-11-21 09:51:27,473 fail2ban.datedetector   [10822]: DEBUG   Got time 1479714685.000000 for "u'Nov 21 09:51:25'" using template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2016-11-21 09:51:27,473 fail2ban.datedetector   [10822]: DEBUG   Matched time template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2016-11-21 09:51:27,473 fail2ban.datedetector   [10822]: DEBUG   Got time 1479714686.000000 for "u'Nov 21 09:51:26'" using template (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
2016-11-21 09:51:27,558 fail2ban.datedetector   [10822]: DEBUG   Sorting the template list
2016-11-21 09:51:27,558 fail2ban.datedetector   [10822]: DEBUG   Winning template: (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)? with 294 hits
 
Change loglevel in /usr/local/etc/fail2ban/fail2ban.conf to
Code: 
loglevel = INFO

I am using pf, but you should have in /var/log/fail2ban.log something like that:
Code: 
2016-11-22 09:25:09,080 fail2ban.filter         [98338]: INFO    [ssh-pf] Found 172.21.1.22
2016-11-22 09:25:09,089 fail2ban.filter         [98338]: INFO    [ssh-pf] Found 172.21.1.22
2016-11-22 09:25:09,098 fail2ban.filter         [98338]: INFO    [ssh-pf] Found 172.21.1.22
2016-11-22 09:25:09,108 fail2ban.filter         [98338]: INFO    [ssh-pf] Found 172.21.1.22
2016-11-22 09:25:09,206 fail2ban.actions        [98338]: NOTICE  [ssh-pf] Ban 172.21.1.22
 
I'm simply using a custom action to have fail2ban work with ipfw tables. Create a /usr/local/etc/fail2ban/somename.conf:
Code: 
[Definition]
actionban = ipfw table 1 add <ip>
actionunban = ipfw table 1 delete <ip>

Afterwards you can just specify banaction = somename and it should work.
 
What I have found so far:
Linux logs:
Code: 
2016-12-07 15:57:12,853 fail2ban.jail   [28728]: INFO    Jail 'ssh' started
2016-12-07 15:57:12,853 fail2ban.comm   [28728]: DEBUG   Command: ['start', 'ssh-ddos']
2016-12-07 15:57:12,854 fail2ban.actions.action[28728]: DEBUG   iptables -N fail2ban-ssh
[...]

FreeBSD logs:
Code: 
2016-12-07 16:58:26,248 fail2ban.jail           [16776]: INFO    Jail 'ssh-pf' started
2016-12-07 16:58:26,249 fail2ban.filterpyinotify[16776]: DEBUG   pyinotifier started for ssh-pf.
2016-12-07 16:58:26,249 fail2ban.action         [16776]: DEBUG
2016-12-07 16:58:26,256 fail2ban.action         [16776]: DEBUG   Nothing to do

fail2ban on BSD does not know what to do.

My action.d/myaction.conf:
Code: 
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = pfctl -t flood -T add <ip>
actionunban = pfctl -t flood -T del <ip>
My expectation: an error because my machine does not know anything about PF... this is only for testing.

My jail.local:
Code: 
[DEFAULT]
action = %(action_mwl)s
banaction = bsd-ipfw
# -- 3 Tage:
bantime = 259200
blocktype = deny
destemail = root
sender = root
mta = mail
findtime  = 600
maxretry = 2
ignoreip = 127.0.0.1 10.2.3.4

[ssh-pf]
enabled  = true
filter   = sshd
action   = myaction
#          sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost]
logpath  = /var/log/auth.log
findtime  = 600
maxretry = 3
bantime  = 3600

Any ideas what is missing here?
 
Failren: I tried what you had written.
My action.d/zap-em.conf:

[Definition]
actionban = ipfw table 1 add <ip>
actionunban = ipfw table 1 delete <ip>


My jail.local:

[DEFAULT]
banaction = bsd-ipfw
bantime = 259200
blocktype = deny
destemail = root
sender = root
mta = mail
findtime = 600
maxretry = 2
ignoreip = 127.0.0.1 10.2.3.4

[bsd-sshd]
enabled = true
port = ssh
filter = bsd-sshd
logpath = /var/log/auth.log
banaction = zap-em


Result in /var/log/fail2ban.log:

2016-12-07 17:15:24,819 fail2ban.transmitter [16987]: DEBUG Command: ['set', 'bsd-sshd', 'addaction', 'zap-em']
2016-12-07 17:15:24,819 fail2ban.CommandAction [16987]: DEBUG Set action zap-em timeout = 60
2016-12-07 17:15:24,819 fail2ban.CommandAction [16987]: DEBUG Set actionstart =
2016-12-07 17:15:24,820 fail2ban.CommandAction [16987]: DEBUG Set actionban =
2016-12-07 17:15:24,820 fail2ban.CommandAction [16987]: DEBUG Set actionunban =
2016-12-07 17:15:24,820 fail2ban.CommandAction [16987]: DEBUG Set actioncheck =
2016-12-07 17:15:24,820 fail2ban.CommandAction [16987]: DEBUG Set actionstop =
2016-12-07 17:15:24,820 fail2ban.CommandAction [16987]: DEBUG Created <class 'fail2ban.server.action.CommandAction'>
2016-12-07 17:15:24,821 fail2ban.transmitter [16987]: DEBUG Command: ['set', 'bsd-sshd', 'action', 'zap-em', 'actionban', 'ipfw table 1 add <ip>']
2016-12-07 17:15:24,821 fail2ban.CommandAction [16987]: DEBUG Set actionban = ipfw table 1 add <ip>
2016-12-07 17:15:24,821 fail2ban.transmitter [16987]: DEBUG Command: ['set', 'bsd-sshd', 'action', 'zap-em', 'actionunban', 'ipfw table 1 delete <ip>']
2016-12-07 17:15:24,821 fail2ban.CommandAction [16987]: DEBUG Set actionunban = ipfw table 1 delete <ip>
2016-12-07 17:15:24,822 fail2ban.transmitter [16987]: DEBUG Command: ['set', 'bsd-sshd', 'action', 'zap-em', 'port', 'ssh']
2016-12-07 17:15:24,822 fail2ban.transmitter [16987]: DEBUG Command: ['set', 'bsd-sshd', 'action', 'zap-em', 'protocol', 'tcp']
2016-12-07 17:15:24,823 fail2ban.transmitter [16987]: DEBUG Command: ['set', 'bsd-sshd', 'action', 'zap-em', 'name', 'bsd-sshd']
2016-12-07 17:15:24,823 fail2ban.transmitter [16987]: DEBUG Command: ['set', 'bsd-sshd', 'action', 'zap-em', 'chain', 'INPUT']
2016-12-07 17:15:24,824 fail2ban.transmitter [16987]: DEBUG Command: ['set', 'bsd-sshd', 'action', 'zap-em', 'bantime', '259200']
2016-12-07 17:15:24,824 fail2ban.transmitter [16987]: DEBUG Command: ['start', 'bsd-sshd']
2016-12-07 17:15:24,825 fail2ban.jail [16987]: INFO Jail 'bsd-sshd' started
2016-12-07 17:15:24,825 fail2ban.filterpyinotify[16987]: DEBUG pyinotifier started for bsd-sshd.
2016-12-07 17:15:24,826 fail2ban.action [16987]: DEBUG
2016-12-07 17:15:24,831 fail2ban.action [16987]: DEBUG Nothing to do


Result: no ip address blocking. :(
 
oz42 said:
Failren: I tried what you had written.
My action.d/zap-em.conf:

[Definition]
actionban = ipfw table 1 add <ip>
actionunban = ipfw table 1 delete <ip>


My jail.local:

...
[bsd-sshd]
Click to expand...
Could bsd-sshd simply be the wrong filter? My config uses sshd, although I can't remember if there was any rationale in using this over bsd-sshd:

Code: 
[DEFAULT]
banaction = ipfw-tables
...

[sshd]
enabled = true

And yes, it works as is should:
Code: 
fail2ban.log:2016-12-10 22:25:05,539 fail2ban.actions        [867]: NOTICE  [sshd] Ban 91.224.160.108
fail2ban.log:2016-12-10 xx:xx:06,194 fail2ban.actions        [867]: NOTICE  [sshd] Unban 91.224.160.108
fail2ban.log:2016-12-11 01:01:27,078 fail2ban.filter         [867]: INFO    [sshd] Found 45.32.158.170
fail2ban.log:2016-12-11 01:01:27,099 fail2ban.filter         [867]: INFO    [sshd] Found 45.32.158.170
fail2ban.log:2016-12-11 01:01:28,136 fail2ban.filter         [867]: INFO    [sshd] Found 45.32.158.170
fail2ban.log:2016-12-11 01:01:29,198 fail2ban.filter         [867]: INFO    [sshd] Found 45.32.158.170
fail2ban.log:2016-12-11 01:42:32,914 fail2ban.filter         [867]: INFO    [sshd] Found 91.224.160.106
fail2ban.log:2016-12-11 01:46:57,832 fail2ban.filter         [867]: INFO    [sshd] Found 91.224.160.106
fail2ban.log:2016-12-11 01:49:18,871 fail2ban.filter         [867]: INFO    [sshd] Found 91.224.160.106
fail2ban.log:2016-12-11 01:51:37,714 fail2ban.filter         [867]: INFO    [sshd] Found 91.224.160.106
fail2ban.log:2016-12-11 02:00:57,757 fail2ban.filter         [867]: INFO    [sshd] Found 91.224.160.106
fail2ban.log:2016-12-11 02:00:57,978 fail2ban.actions        [867]: NOTICE  [sshd] Ban 91.224.160.106
fail2ban.log:2016-12-11 xx:xx:58,488 fail2ban.actions        [867]: NOTICE  [sshd] Unban 91.224.160.106
fail2ban.log:2016-12-11 04:00:00,639 fail2ban.filter         [867]: INFO    Log rotation detected for /var/log/auth.log
fail2ban.log:2016-12-11 04:00:00,645 fail2ban.filter         [867]: INFO    Log rotation detected for /var/log/auth.log
fail2ban.log:2016-12-11 06:00:31,856 fail2ban.filter         [867]: INFO    [sshd] Found 14.160.13.174
fail2ban.log:2016-12-11 06:00:35,015 fail2ban.filter         [867]: INFO    [sshd] Found 14.160.13.174
fail2ban.log:2016-12-11 13:00:00,164 fail2ban.filter         [867]: INFO    Log rotation detected for /var/log/auth.log
fail2ban.log:2016-12-11 13:00:00,165 fail2ban.filter         [867]: INFO    Log rotation detected for /var/log/auth.log
fail2ban.log:2016-12-11 13:31:34,979 fail2ban.filter         [867]: INFO    [sshd] Found 14.160.13.174
fail2ban.log:2016-12-11 13:31:44,503 fail2ban.filter         [867]: INFO    [sshd] Found 14.160.13.174
 
I have tried the sshd filter instead of bsd-sshd, still no luck.

When you start fail2ban in debug mode, is the last line "nothing to do"?

Code: 
2016-12-12 10:05:03,940 fail2ban.jail           [971]: INFO    Jail 'sshd' started
2016-12-12 10:05:03,940 fail2ban.filterpyinotify[971]: DEBUG   pyinotifier started for sshd.
2016-12-12 10:05:03,941 fail2ban.action         [971]: DEBUG
2016-12-12 10:05:03,948 fail2ban.action         [971]: DEBUG   Nothing to do
 
Hi, I was just setting up ipfw with fail2ban and came across the thread.
First thing, if you don't have a NOTICE Ban line in your logs then fail2ban isn't trying to block any IPs so you can forget about the actions because its not even getting there. FYI my ssh config in jail.local is:

Code: 
[sshd]

enabled = true
filter = sshd
port    = ssh
logpath = /var/log/auth.log
maxretry = 6
action = bsd-ipfw[table=1]

If you aren't getting any NOTICE Ban lines then you need to check the sshd filter and/or check your log path. HTH,

cheers, Andy.
 
PS you can also test if the ban/unban code works with these commands:

Code: 
fail2ban-client set sshd banip 10.10.10.10

Code: 
fail2ban-client set sshd unbanip 10.10.10.10
 
You must log in or register to reply here.
Back
Top