Hi,
I'm trying to configure fail2ban on my FreeBSD 8.2-RELEASE server but can't really get it to work. I've never tried fail2ban before, nor am I any good with firewall rules. I got a IPFW rules-script working just fine. However I'm a little bit confused how to get this to work properly.
/usr/local/fail2ban/jail.conf:
/usr/local/etc/fail2ban/action.d/ipfw.conf:
The rest of the fail2ban files is unmodified.
This is my IPFW rules-script:
I check the logs so that fail2ban is really started and I have this in the logs:
So it's pretty clear that fail2ban is started.
However when I try to ssh to my server from somewhere else on the internet a couple of times nothing happens, there is no firewall rules that gets added to block me for 3600 seconds or anything.
I checked the auth.log and see this:
I check the firewallrules with this:
I tried a couple of times and nothing gets triggered. Do I need to modify my firewall-script? If so, how? Am I missing something else? I couldn't really find much information on IPFW and fail2ban so it's not that easy to get it up and running so any help is appreciated!
Recommendations on other software I can use it also appreciated if you know anything.
Thanks,
-Patric
I'm trying to configure fail2ban on my FreeBSD 8.2-RELEASE server but can't really get it to work. I've never tried fail2ban before, nor am I any good with firewall rules. I got a IPFW rules-script working just fine. However I'm a little bit confused how to get this to work properly.
/usr/local/fail2ban/jail.conf:
Code:
[DEFAULT]
ignoreip = 127.0.0.1 192.168.1.61
bantime = 3600
findtime = 600
maxretry = 3
backend = auto
[ssh-ipfw]
enabled = true
filter = sshd
action = ipfw[localhost=any,minnum=01110,maxnum=01199]
sendmail-whois[name="SSH,IPFW", dest=admin@server.com]
logpath = /var/log/auth.log
ignoreip = 168.192.1.61
/usr/local/etc/fail2ban/action.d/ipfw.conf:
Code:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ipfw add deny tcp from <ip> to <localhost> <port>
actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
[Init]
port = ssh
localhost = 192.168.1.61
The rest of the fail2ban files is unmodified.
This is my IPFW rules-script:
Code:
IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ssh (22), http (80) etc
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 80 in
$IPF 160 allow tcp from any to any 80 out
# allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
$IPF allow icmp from any to any icmptypes 0,3,4,8,11
# deny and log everything
$IPF 500 deny log all from any to any
I check the logs so that fail2ban is really started and I have this in the logs:
Code:
2011-05-11 13:37:35,066 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-05-11 13:37:35,066 fail2ban.jail : INFO Creating new jail 'ssh-ipfw'
2011-05-11 13:37:35,066 fail2ban.jail : INFO Jail 'ssh-ipfw' uses poller
2011-05-11 13:37:35,076 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2011-05-11 13:37:35,076 fail2ban.filter : INFO Set maxRetry = 3
2011-05-11 13:37:35,077 fail2ban.filter : INFO Set findtime = 600
2011-05-11 13:37:35,077 fail2ban.actions: INFO Set banTime = 3600
2011-05-11 13:37:35,104 fail2ban.jail : INFO Jail 'ssh-ipfw' started
So it's pretty clear that fail2ban is started.
However when I try to ssh to my server from somewhere else on the internet a couple of times nothing happens, there is no firewall rules that gets added to block me for 3600 seconds or anything.
I checked the auth.log and see this:
Code:
May 11 13:54:38 server sshd[11828]: error: PAM: authentication error for user from IP-on-the-internet
May 11 13:54:39 server last message repeated 2 times
May 11 13:54:41 server sshd[11833]: error: PAM: authentication error for user from IP-on-the-internet
May 11 13:54:42 server last message repeated 2 times
May 11 13:54:44 server sshd[11838]: error: PAM: authentication error for user from IP-on-the-internet
May 11 13:54:45 server last message repeated 2 times
May 11 13:54:47 server sshd[11843]: error: PAM: authentication error for user from IP-on-the-internet
I check the firewallrules with this:
Code:
[root@server ~]# ipfw list
00010 allow ip from any to any via lo0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00080 allow icmp from any to any
00130 allow tcp from any to any dst-port 22 in
00140 allow tcp from any to any dst-port 22 out
00150 allow tcp from any to any dst-port 80 in
00160 allow tcp from any to any dst-port 80 out
00260 allow icmp from any to any icmptypes 0,3,4,8,11
00500 deny log ip from any to any
65535 deny ip from any to any
I tried a couple of times and nothing gets triggered. Do I need to modify my firewall-script? If so, how? Am I missing something else? I couldn't really find much information on IPFW and fail2ban so it's not that easy to get it up and running so any help is appreciated!
Recommendations on other software I can use it also appreciated if you know anything.
Thanks,
-Patric