fail2ban (mit ipfw) auf FreeBSD

Posted: 3rd Juli 2013 by Thorben Hemmler in FreeBSD
Tags: ,

Software installieren

cd /usr/ports/security/py-fail2ban/ && make install clean

Folgende Einträge habe ich in der /etc/rc.conf vorgenommen

firewall_enable="YES"
firewall_type="fail2ban"
firewall_logging="YES"
fail2ban_enable="YES"

Anpassungen in der /etc/rc.firewall (unter case ${firewall_type} )

[Ff][Aa][Ii][Ll][2][Bb][Aa][Nn])
${fwcmd} add deny tcp from table\(1\) to any
${fwcmd} add 65000 pass all from any to any
;;

Anlegen einer neuen „Action“ unter /usr/local/etc/fail2ban/action.d/ipfw.only_ports.conf

# Fail2Ban configuration file
[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =


# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
#actionban = ipfw add <rule_number> <blocktype> tcp from <ip> to <host> <port>
actionban = USEDNUMS=`ipfw list | perl -pe 's/(\d{5}) .*\n/$1|/' | perl -pe 's/\|$//'`
            NUM=`jot -w '%%05d' - <minnum> <maxnum> | grep -vE "($USEDNUMS)" | head -n1`
            ipfw add $NUM deny tcp from <ip> to <localhost> dst-port <port>


# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = ipfw delete `ipfw list | grep -i <ip> | grep -i 'dst-port '<port> | awk '{print $1;}'`

[Init]

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]
#
#port =

# Option:  localhost
# Notes.:  the local IP address of the network interface
# Values:  IP
#
localhost = 127.0.0.1

# Option:  blocktype
# Notes.:  How to block the traffic. Use a action from man 5 ipfw
#          Common values: deny, unreach port, reset
# Values:  STRING
#
#blocktype = deny

Dann noch die /usr/local/etc/fail2ban/jail.conf etwas anpassen

[ssh-kunden]
enabled  = true
filter   = sshd
action   = ipfw.only_ports[minnum=50000, maxnum=59999, host=any, port=22]
logpath  = /var/log/auth.log
maxretry = 4
bantime  = 600

[vsftpd]
enabled  = true
filter   = vsftpd
action   = ipfw.only_ports[minnum=50000, maxnum=59999, host=any, port='20,21']
logpath  = /var/log/messages
maxretry = 4

Ich musste mit einem kleinen Script noch das Kernelmodul laden und ipwf/fail2ban starten

#!/bin/sh
kldload ipfw.ko
/etc/rc.d/ipfw restart
/usr/local/etc/rc.d/fail2ban restart

bantime = 1800

  1. K2 sagt:

    Guter Beitrag.
    Chapeau!