pf, fail2ban and portsentry

H

heavenboy

Hello,

I'm trying to secure my laptop. First I have configured pf :

/etc/rc.conf

Code: 
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

/etc/pf.conf

Code: 
ext_if="{wlan0,alc0}"                                                                                                         
ext_services="{22}"
int_services="{25,80,139,445,631,3306}"

# Déclaration du tableau référençant toutes les adresses IP affectées au
# pare-feu.
table <firewall> const { self }

# Mesure contre certain type d'attaques
scrub in all

# Ne pas filtrer sur l'interface de bouclage
set skip on lo0

# Mise en place d'une politique d'interdiction par défaut.
block in all
block return

# Concerve l'état des connexions sortantes
pass out keep state

# Activation de la protection contre l'usurpation sur toutes les
# interfaces.
block in quick from urpf-failed
antispoof log for $ext_if

#On autorise l'accès extérieur pour les services suivants : 
pass in on $ext_if proto {tcp,udp} from any to any port $ext_services

#Blocage des ip contenu dans la table antiscan (mis à jour par portsentry)
table <antiscan> persist
block in quick from <antiscan>

#Blocage des ip contenu dans la table fail2ban (mis à jour par fail2ban)
table <fail2ban> persist
block in on $ext_if from <fail2ban>

# pfctl -f /etc/pf.conf

Code: 
No ALTQ support in kernel
ALTQ related functions disabled

Now to avoid scan port, I have installed and configured portsentry :

I have added the table antiscan and one rule in the /etc/pf.conf as you can see above.

I have edited the file /usr/local/etc/portsentry.conf

Code: 
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"

ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"

ADVANCED_EXCLUDE_TCP="113,139"
ADVANCED_EXCLUDE_UDP="520,138,137,67"

# Hosts to ignore
IGNORE_FILE="/usr/local/etc/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/usr/local/etc/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/usr/local/etc/portsentry.blocked"

RESOLVE_HOST = "1"

BLOCK_UDP="1"
BLOCK_TCP="1"

KILL_ROUTE="/sbin/pfctl -t antiscan -T add $TARGET$" 

SCAN_TRIGGER="0"

And now the content of /usr/local/etc/portsentry.ignore

Code: 
127.0.0.1/32
0.0.0.0

I have launched portsentry :
# porsentry -tcp && portsentry -udp

Now if I try to scan the ports of my laptop with an other computer, first the output of nmap show opened port (!) and secondly his ip was not insert in the antiscan table :

# pfctl -t antiscan -T show

Code: 
No ALTQ support in kernel
ALTQ related functions disabled

Could you explain me what's wrong ? The problem is the same with fail2ban (I will add fail2ban config file if necessary).
 
# /etc/rc.d/pf status

Code: 
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 01:41:25           Debug: Urgent

State Table                          Total             Rate
  current entries                        2               
  searches                          406852           66.9/s
  inserts                              133            0.0/s
  removals                             131            0.0/s
Counters
  match                                641            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              2            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s


# pfctl -sr

Code: 
No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
block drop in all
block return all
pass out all flags S/SA keep state
block drop in quick from urpf-failed to any
block drop in log on ! wlan0 inet from 192.168.1.0/24 to any
block drop in log inet from 192.168.1.67 to any
pass in on wlan0 proto tcp from any to any port = ssh flags S/SA keep state
pass in on wlan0 proto udp from any to any port = ssh keep state
pass in on alc0 proto tcp from any to any port = ssh flags S/SA keep state
pass in on alc0 proto udp from any to any port = ssh keep state
block drop in quick from <antiscan> to any
block drop in on wlan0 from <fail2ban> to any
block drop in on alc0 from <fail2ban> to any

# pfctl -sn

Code: 
No ALTQ support in kernel
ALTQ related functions disabled
 
Now if I try to scan the ports of my laptop with an other computer, first the output of nmap show opened port (!)
Click to expand...

Can you try with a simple rule file to see if nmap scans are blocked ?

Code: 
ext_if="{wlan0,alc0}"                                                                                                         
ext_services="{22}"
int_services="{25,80,139,445,631,3306}"

scrub in all
set skip on lo0
antispoof log for $ext_if

block in all
pass out
 
Well I tried with simple rules as you proposed. Below, the nmap outputs:

$ nmap -v 192.168.1.67

Code: 
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-23 16:52 CEST
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 16:52
Scanning 192.168.1.67 [2 ports]
Completed Ping Scan at 16:52, 3.00s elapsed (1 total hosts)
Read data files from: /usr/share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -PN
Nmap done: 1 IP address (0 hosts up) scanned in 3.15 seconds

$ nmap -v -PN 192.168.1.67

Code: 
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-23 16:52 CEST
NSE: Loaded 0 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 16:52
Completed Parallel DNS resolution of 1 host. at 16:52, 0.00s elapsed
Initiating Connect Scan at 16:52
Scanning heavenboy-freebsd.darty (192.168.1.67) [1000 ports]
Connect Scan Timing: About 15.50% done; ETC: 16:56 (0:02:49 remaining)
Connect Scan Timing: About 30.50% done; ETC: 16:56 (0:02:19 remaining)
Connect Scan Timing: About 45.50% done; ETC: 16:56 (0:01:49 remaining)
Connect Scan Timing: About 60.50% done; ETC: 16:56 (0:01:19 remaining)
Connect Scan Timing: About 75.50% done; ETC: 16:56 (0:00:49 remaining)
Completed Connect Scan at 16:56, 201.31s elapsed (1000 total ports)
Host heavenboy-freebsd.darty (192.168.1.67) is up.
All 1000 scanned ports on heavenboy-freebsd.darty (192.168.1.67) are filtered

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 201.45 seconds

The outputs are the same with portsentry running or not.
 
Now if you try something like this

Code: 
ext_if="{wlan0,alc0}"                                                                                                         
ext_services="{22}"
int_services="{25,80,139,445,631,3306}"
table <antiscan> persist

scrub in all
set skip on lo0
antispoof log for $ext_if

pass in
block in quick from <antiscan>
pass out

Is the antiscan table populated if you retry nmap when portsentry is running?
 
First, I would like to thank your for you assistance.

Below, the nmap outputs:

$ nmap -v 192.168.1.67

Code: 
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-23 19:04 CEST
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 19:04
Scanning 192.168.1.67 [2 ports]
Completed Ping Scan at 19:04, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:04
Completed Parallel DNS resolution of 1 host. at 19:04, 0.01s elapsed
Initiating Connect Scan at 19:04
Scanning heavenboy-freebsd.darty (192.168.1.67) [1000 ports]
Discovered open port 143/tcp on 192.168.1.67
Discovered open port 445/tcp on 192.168.1.67
Discovered open port 80/tcp on 192.168.1.67
Discovered open port 139/tcp on 192.168.1.67
Discovered open port 3306/tcp on 192.168.1.67
Discovered open port 111/tcp on 192.168.1.67
Discovered open port 22/tcp on 192.168.1.67
Discovered open port 32771/tcp on 192.168.1.67
Discovered open port 32772/tcp on 192.168.1.67
Discovered open port 119/tcp on 192.168.1.67
Connect Scan Timing: About 49.45% done; ETC: 19:05 (0:00:32 remaining)
Connect Scan Timing: About 64.70% done; ETC: 19:05 (0:00:35 remaining)

However:

# pfctl -t antiscan -T show

Code: 
No ALTQ support in kernel
ALTQ related functions disabled
  192.168.1.2

So the IP of the machine scanning has been added in the table. Moreover in the file /var/log/messages we can find:

Code: 
Jun 23 19:00:27 heavenboy-freebsd portsentry[74272]: adminalert: PortSentry is now active and listening.
Jun 23 19:00:28 heavenboy-freebsd portsentry[74272]: attackalert: Connect from host: heavenboy-desktop.darty/192.168.1.2 to TCP port: 111
Jun 23 19:00:28 heavenboy-freebsd portsentry[74272]: attackalert: Host 192.168.1.2 has been blocked via dropped route using command: "/sbin/pfctl -t antiscan -T add 192.168.1.2"
Jun 23 19:00:28 heavenboy-freebsd portsentry[74272]: attackalert: Possible stealth scan from unknown host to TCP port: 143 (accept failed)
Jun 23 19:00:28 heavenboy-freebsd portsentry[74272]: attackalert: Connect from host: heavenboy-desktop.darty/192.168.1.2 to TCP port: 6667
Jun 23 19:00:28 heavenboy-freebsd portsentry[74272]: attackalert: Host: 192.168.1.2 is already blocked. Ignoring
Jun 23 19:00:28 heavenboy-freebsd portsentry[74272]: attackalert: Possible stealth scan from unknown host to TCP port: 32774 (accept failed)
Jun 23 19:00:43 heavenboy-freebsd wpa_supplicant[378]: CTRL-EVENT-SCAN-RESULTS

The machine scanning is well blocked the second time I launch the scan. However the scan works the first time: I can read the opened ports. How can I prevent it?
 
I don't know portsentry and how it exactly works (which OSI layer, before or after the firewall (pf or other ?), etc ...) but a little more test can help us to understand it.

Can you try a scan with the ruleset below and post the full nmap output.

Code: 
ext_if="{wlan0,alc0}"                                                                                                         
ext_services="{22}"
int_services="{25,80,139,445,631,3306}"
table <antiscan> persist

scrub in all
set skip on lo0
antispoof log for $ext_if

pass in
pass out
 
This is the full nmap output :

$ nmap -v 192.168.1.67

Code: 
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-24 19:49 CEST
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 19:49
Scanning 192.168.1.67 [2 ports]
Completed Ping Scan at 19:49, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:49
Completed Parallel DNS resolution of 1 host. at 19:49, 0.00s elapsed
Initiating Connect Scan at 19:49
Scanning heavenboy-freebsd.darty (192.168.1.67) [1000 ports]
Discovered open port 80/tcp on 192.168.1.67
Discovered open port 445/tcp on 192.168.1.67
Discovered open port 139/tcp on 192.168.1.67
Discovered open port 22/tcp on 192.168.1.67
Discovered open port 143/tcp on 192.168.1.67
Discovered open port 111/tcp on 192.168.1.67
Discovered open port 3306/tcp on 192.168.1.67
Discovered open port 1/tcp on 192.168.1.67
Discovered open port 32773/tcp on 192.168.1.67
Discovered open port 2000/tcp on 192.168.1.67
Discovered open port 119/tcp on 192.168.1.67
Discovered open port 1080/tcp on 192.168.1.67
Discovered open port 32771/tcp on 192.168.1.67
Discovered open port 32772/tcp on 192.168.1.67
Discovered open port 31337/tcp on 192.168.1.67
Discovered open port 12345/tcp on 192.168.1.67
Discovered open port 6667/tcp on 192.168.1.67
Discovered open port 32774/tcp on 192.168.1.67
Increasing send delay for 192.168.1.67 from 0 to 5 due to max_successful_tryno increase to 4
Discovered open port 1524/tcp on 192.168.1.67
Discovered open port 9009/tcp on 192.168.1.67
Discovered open port 79/tcp on 192.168.1.67
Completed Connect Scan at 19:49, 6.09s elapsed (1000 total ports)
Host heavenboy-freebsd.darty (192.168.1.67) is up (0.00073s latency).
Interesting ports on heavenboy-freebsd.darty (192.168.1.67):
Not shown: 979 closed ports
PORT      STATE SERVICE
1/tcp     open  tcpmux
22/tcp    open  ssh
79/tcp    open  finger
80/tcp    open  http
111/tcp   open  rpcbind
119/tcp   open  nntp
139/tcp   open  netbios-ssn
143/tcp   open  imap
445/tcp   open  microsoft-ds
1080/tcp  open  socks
1524/tcp  open  ingreslock
2000/tcp  open  callbook
3306/tcp  open  mysql
6667/tcp  open  irc
9009/tcp  open  unknown
12345/tcp open  netbus
31337/tcp open  Elite
32771/tcp open  sometimes-rpc5
32772/tcp open  sometimes-rpc7
32773/tcp open  sometimes-rpc9
32774/tcp open  sometimes-rpc11

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.28 seconds
 
If we consider your /etc/pf.conf of Yesterday, 18:26 :

Code: 
pass in
block in quick from <antiscan>
pass out

it blocks well if a scan occurred but there is no rule on the ports from 'out'. Especially, I would like to close all the ports except from port 22. That's why I wrote :

Code: 
block in all

pass in on $ext_if proto {tcp,udp} from any to any port $ext_services

So if I follow you, I try this :

Code: 
#'pass in' the right ports from hosts who are not blocked
pass in on $ext_if proto {tcp,udp} from !<antiscan> to any port $ext_services

#block all the other ports
block in

pass out

But here again, the IP of the machine scanning isn't added to the table. What's wrong?
 
From the different outputs, and with the ruleset above, pf seems to block scanning.

Code: 
pass in
block in quick from <antiscan>
pass out

It just take some time to detect the scanning and to add the IP address to the antiscan table, but it works.

You've already tested, but can you try this?

Code: 
block in
block in quick from <antiscan>
pass in on $ext_if proto {tcp,udp} from any to any port $ext_services
pass out
 
With this try, I can connect in ssh (as wanted), the scan port output is the same that this one of June 23rd, 2011, 17:02. However the IP of the machine scanning isn't added to the table so it's not blocked.
 
/var/log/messages

Code: 
Jun 27 10:41:52 heavenboy-freebsd portsentry[3833]: adminalert: PortSentry 1.2 is starting.
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 1
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 7
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 9
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 69
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 161
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 162
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 513
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 635
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 640
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 641
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 700
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 37444
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 34555
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 31335
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 32770
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 32771
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 32772
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 32773
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 32774
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 31337
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: Going into listen mode on UDP port: 54321
Jun 27 10:41:52 heavenboy-freebsd portsentry[3834]: adminalert: PortSentry is now active and listening.
Jun 27 10:41:52 heavenboy-freebsd portsentry[3835]: adminalert: PortSentry 1.2 is starting.
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 1
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 11
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 15
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 79
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 111
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 119
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 143
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 540
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 635
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 1080 
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 1524 
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 2000 
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 5742 
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 6667 
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 12345
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 12346
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 20034
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 27665
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 31337
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 32771
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 32772
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 32773
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 32774
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 40421
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 49724
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: Going into listen mode on TCP port: 54320
Jun 27 10:41:52 heavenboy-freebsd portsentry[3836]: adminalert: PortSentry is now active and listening.
Thanks to that, I have had an idea: I can now explain why the pf configuration below doesn't work. Portsentry listens to scan of ports shown in the /var/log/messages. However the ssh port isn't in the list. Only port 22 is open so portsentry can't see the port scan.

As a consequences, I try 2 things:
- First, add port 22 in the list of tcp ports in /usr/local/etc/portsentry.conf. However portsentry can listen on port 22, it seems. Indeed I have in that case an error in /var/log/messages.
- Open another port which is listened to by portsentry, for example don't block port 1 with pf. In that case, it works. Portsentry adds the IP of machine scanning to the table and next time the scan shows nothing. On the other hand, only port 1 and 22 are allowed in 'in'.
 
Now, concerning fail2ban, let me first show all configurations I have don :

/etc/rc.conf
Code: 
fail2ban_enable="YES"

/etc/pf.conf
Code: 
ext_if="{wlan0,alc0}"
ext_services="{1,22}"
int_services="{25,80,139,445,631,3306}"

# Déclaration du tableau référençant toutes les adresses IP affectées au
# pare-feu.
#table <firewall> const { self }
table <fail2ban> persist
table <antiscan> persist

# Mesure contre certain type d'attaques
scrub in all

# Ne pas filtrer sur l'interface de bouclage
set skip on lo0

# Mise en place d'une politique d'interdiction par défaut.
block in
#block return

# Concerve l'état des connexions sortantes
#pass out keep state
pass out

# Activation de la protection contre l'usurpation sur toutes les
# interfaces.
#block in quick from urpf-failed
antispoof log for $ext_if

#Blocage des ip contenu dans la table antiscan (mis à jour par portsentry)
block in quick on $ext_if from <antiscan>
block in quick on $ext_if from <fail2ban>

#On autorise l'accès extérieur pour les services suivants : 
#(le port 1 est accessible simplement pour que portsentry détecte les scan)
pass in on $ext_if proto {tcp,udp} from any to any port $ext_services

/usr/local/etc/fail2ban/fail2ban.conf
Code: 
[Definition]

loglevel = 3 

logtarget = /var/log/fail2ban.log

socket = /var/run/fail2ban/fail2ban.sock

/usr/local/etc/fail2ban/jail.conf
Code: 
[DEFAULT]

ignoreip = 127.0.0.1

bantime  = 86400 


findtime  = 86400                                                                                                                   

maxretry = 3 

backend = auto

[ssh-pf]

enabled  = true
filter   = sshd
action   = pf
logpath  = /var/log/auth.log
maxretry = 5

[ssh-ddos]

enabled  = true
filter   = sshd-ddos
action   = pf
logpath  = /var/log/auth.log
maxretry = 3

/usr/local/etc/fail2ban/action.d/pf.conf
Code: 
[Definition]

actionstart = 

actionstop = 

actioncheck = 

actionban = "/sbin/pfctl -t fail2ban -T add <ip>/32"

actionunban = "/sbin/pfctl -t fail2ban -T delete <ip>/32"

[Init]

port  = ssh
localhost   = 127.0.0.1

All of that seems to be ok. However there is one file I haven't edited and it's seems to be the source of the trouble:

/usr/local/etc/fail2ban/filter.d/sshd.conf
Code: 
[INCLUDES]

before = common.conf

[Definition]

_daemon = sshd

failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$  
            ^%(__prefix_line)sFailed (?:password|publickey) for .* from <HOST>(?: port \d*)?(?: ssh\d*)?$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because not listed in AllowUsers$
            ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=<HOST>(?:\s+user=.*
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sAddress <HOST> .* POSSIBLE BREAK-IN ATTEMPT!*\s*$
            ^%(__prefix_line)sUser \S+ from <HOST> not allowed because none of user's groups are listed in AllowGroups$

ignoreregex =

And in /var/log/auth.log, when an authentication failure occurred we can read:

Code: 
Jun 27 11:09:35 heavenboy-freebsd sshd[10897]: error: PAM: authentication error for heavenboy from 192.168.0.60

However the failregex doesn't contain this statement. Could you tell me what regex I have to have?

I tried without success:

Code: 
^%(__prefix_line)s(?:error: PAM: )?authentication error for .* from <HOST>\s*$
 
For portsentry, it seems to be what I thought.

pf works before portsentry or said differently portsentry works after pf which explains that when pf passes all packets, portsentry can detect them and and when pf blocks all packets, portsentry doesn't see them.

I would suggest it to you that you open some portsentry ports in pf to make it react. But you did it before :)

About fail2ban, I don't know, I would made it like you did. :s
 
Now I solved the problem of fail2ban.

First It's needed to add in /usr/local/etc/fail2ban/filter.d/sshd
the following regex in the field failregex

Code: 
: error: PAM: authentication error for .* from <HOST>\s*$

It's possible to check the regex with the command :

# fail2ban-regex /var/log/auth.log /usr/local/etc/fail2ban/filter.d/sshd.conf

Moreover there was a mistake in file /usr/local/etc/fai2ban/action.d/pf.log :
just delete the quotes in the field actionban and actionunban.

I show my revised pf.conf :

Code: 
ext_if="{wlan0,alc0}"
ext_services="{1,22}"
int_services="{25,80,139,445,631,3306}"

# Déclaration du tableau référençant toutes les adresses IP affectées au
# pare-feu.
#table <firewall> const { self }
table <fail2ban> persist
table <antiscan> persist

# Mesure contre certain type d'attaques
scrub in all

# Ne pas filtrer sur l'interface de bouclage
set skip on lo0

# Mise en place d'une politique d'interdiction par défaut.
block in 
#block return

# Concerve l'état des connexions sortantes
#pass out keep state
pass out

# Activation de la protection contre l'usurpation sur toutes les
# interfaces.
block in quick from urpf-failed
antispoof log for $ext_if

#Blocage des ip contenu dans la table antiscan (mis à jour par portsentry)
block in quick on $ext_if from <antiscan>

#Blocage des ip contenu dans la table fail2ban (mis à jour par fail2ban)
block in quick on $ext_if from <fail2ban>

#On autorise l'accès extérieur pour les services suivants : 
#(le port 1 est accessible simplement pour que portsentry détecte les scan)
pass in on $ext_if proto {tcp,udp} from any to any port $ext_services

Thanks a lot.
 
You must log in or register to reply here.
Back
Top