IPFW and Fail2Ban

[k1piee]

Hi,

I'm trying to configure fail2ban on my FreeBSD 8.2-RELEASE server but can't really get it to work. I've never tried fail2ban before, nor am I any good with firewall rules. I got a IPFW rules-script working just fine. However I'm a little bit confused how to get this to work properly.

/usr/local/fail2ban/jail.conf:

[DEFAULT]

ignoreip = 127.0.0.1 192.168.1.61

bantime  = 3600

findtime  = 600

maxretry = 3

backend = auto

[ssh-ipfw]

enabled  = true
filter   = sshd
action   = ipfw[localhost=any,minnum=01110,maxnum=01199]
           sendmail-whois[name="SSH,IPFW", dest=admin@server.com]
logpath  = /var/log/auth.log
ignoreip = 168.192.1.61

/usr/local/etc/fail2ban/action.d/ipfw.conf:

[Definition]

actionstart =
actionstop =
actioncheck =

actionban = ipfw add deny tcp from <ip> to <localhost> <port>
actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`

[Init]

port = ssh
localhost = 192.168.1.61

The rest of the fail2ban files is unmodified.

This is my IPFW rules-script:

IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ssh (22), http (80) etc
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 80 in
$IPF 160 allow tcp from any to any 80 out

# allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
$IPF allow icmp from any to any icmptypes 0,3,4,8,11

# deny and log everything
$IPF 500 deny log all from any to any

I check the logs so that fail2ban is really started and I have this in the logs:

2011-05-11 13:37:35,066 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-05-11 13:37:35,066 fail2ban.jail   : INFO   Creating new jail 'ssh-ipfw'
2011-05-11 13:37:35,066 fail2ban.jail   : INFO   Jail 'ssh-ipfw' uses poller
2011-05-11 13:37:35,076 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-05-11 13:37:35,076 fail2ban.filter : INFO   Set maxRetry = 3
2011-05-11 13:37:35,077 fail2ban.filter : INFO   Set findtime = 600
2011-05-11 13:37:35,077 fail2ban.actions: INFO   Set banTime = 3600
2011-05-11 13:37:35,104 fail2ban.jail   : INFO   Jail 'ssh-ipfw' started

So it's pretty clear that fail2ban is started.

However when I try to ssh to my server from somewhere else on the internet a couple of times nothing happens, there is no firewall rules that gets added to block me for 3600 seconds or anything.

I checked the auth.log and see this:

May 11 13:54:38 server sshd[11828]: error: PAM: authentication error for user from IP-on-the-internet
May 11 13:54:39 server last message repeated 2 times
May 11 13:54:41 server sshd[11833]: error: PAM: authentication error for user from IP-on-the-internet
May 11 13:54:42 server last message repeated 2 times
May 11 13:54:44 server sshd[11838]: error: PAM: authentication error for user from IP-on-the-internet
May 11 13:54:45 server last message repeated 2 times
May 11 13:54:47 server sshd[11843]: error: PAM: authentication error for user from IP-on-the-internet

I check the firewallrules with this:

[root@server ~]# ipfw list
00010 allow ip from any to any via lo0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00080 allow icmp from any to any
00130 allow tcp from any to any dst-port 22 in
00140 allow tcp from any to any dst-port 22 out
00150 allow tcp from any to any dst-port 80 in
00160 allow tcp from any to any dst-port 80 out
00260 allow icmp from any to any icmptypes 0,3,4,8,11
00500 deny log ip from any to any
65535 deny ip from any to any

I tried a couple of times and nothing gets triggered. Do I need to modify my firewall-script? If so, how? Am I missing something else? I couldn't really find much information on IPFW and fail2ban so it's not that easy to get it up and running so any help is appreciated!

Recommendations on other software I can use it also appreciated if you know anything.

Thanks,
-Patric

 

[k1piee]

Ok so I've tried different stuff with the firewall script and found out that even if fail2ban would trigger and add the firewall rule it wouldn't work as it would add the deny-rule on the bottom of the script after it allows the connection to SSH, for example.

I tried to manually add a rule that would deny my IP before everything else in the script and it blocked it out. So the question is: how do I modify my script so it will use the "deny" rules after the rest of the rules? I seriously suck at writing firewall rules so I really appreciate if someone could help me here.


Thanks,
-Patric

 

[graudeejs]

I haven't read entire thread, and haven't tried to understand your script much, but why not to add IP to table, that is used in deny rule?

 

[k1piee]

I installed OSSEC instead and it puts the IP in a table. Works great.

 

[ecazamir]

I managed to make it work using this example, using a table.

 

[JohnnyCashout]

I am using the table method and have my fail2ban jail setup, in fail2ban.log it says its watching /var/log/auth.log an maxretry=3 but I am able to repeatedly fail to enter the correct password 8+ times from an external ip and fail2ban does nothing.

I'm tailing security.log, auth.log and fail2ban.log and auth.log shoes the 'failed keyboard-interactive' messages but fail2ban isn't picking up on it

 

[rockworldmi]

k1piee: can I install both fail2ban and ossec? Or is ossec sufficient? Also is there a guide to install ossec in FreeBSD 9? I see three ports in FreeBSD 9, which one to choose?