Reply
 
Thread Tools Display Modes
  #1  
Old 10-25-2011, 12:17 PM
drulavigne drulavigne is offline
Administrator
 
Join Date: Nov 2009
Posts: 1,133
Thanks: 46
Thanked 55 Times in 53 Posts
Default fail2ban
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. The FreeBSD port adds support for PF and IPFW.

Ports location is security/py-fail2ban
Reply With Quote
  #2  
Old 10-25-2011, 05:08 PM
jag3773 jag3773 is offline
Member
 
Join Date: Sep 2007
Location: CO
Posts: 37
Thanks: 2
Thanked 1 Time in 1 Post
Default +1
This would be a great addition.
__________________
Thanks,
Jesse

http://www.ekfocus.com
Reply With Quote
  #3  
Old 12-02-2011, 03:48 PM
Beanpole's Avatar
Beanpole Beanpole is offline
Senior Member
 
Join Date: May 2010
Posts: 2,577
Thanks: 23
Thanked 450 Times in 366 Posts
Default
I just created a module for this program. It should appear in the AppCafe once it build and is approved.
__________________
~ Ken Moore ~
PC-BSD/iXsystems
Reply With Quote
  #4  
Old 02-07-2012, 12:52 PM
rockworldmi rockworldmi is offline
Junior Member
 
Join Date: Nov 2011
Posts: 24
Thanks: 1
Thanked 0 Times in 0 Posts
Default
There's denyhost by default installed in BASE system. if PC-BSD gives option for selecting other options like fail2ban would be nice ...and it can be incorporated into GUI firewall in 9.1
Reply With Quote
  #5  
Old 02-16-2012, 07:38 PM
Beanpole's Avatar
Beanpole Beanpole is offline
Senior Member
 
Join Date: May 2010
Posts: 2,577
Thanks: 23
Thanked 450 Times in 366 Posts
Default
The py-fail2ban PBI's have just been released. They should be available in the AppCafe within 24 hours.
__________________
~ Ken Moore ~
PC-BSD/iXsystems
Reply With Quote
  #6  
Old 04-26-2012, 08:42 AM
rockworldmi rockworldmi is offline
Junior Member
 
Join Date: Nov 2011
Posts: 24
Thanks: 1
Thanked 0 Times in 0 Posts
Default
Thanks got it ..
Reply With Quote
  #7  
Old 04-28-2012, 08:47 PM
sg1efc sg1efc is offline
Senior Member
 
Join Date: Jan 2012
Location: USA
Posts: 257
Thanks: 450
Thanked 8 Times in 8 Posts
Default
Originally Posted by drulavigne View Post
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. The FreeBSD port adds support for PF and IPFW.

Ports location is security/py-fail2ban
Seems like a great addition to computer/server security. Thanks a lot Dru.
__________________
PC-BSD totally rocks! Thanks A Lot to everyone who has helped create and improve it.

http://www.nwbackup.com
Reply With Quote
  #8  
Old 03-07-2013, 12:22 PM
johnedstone johnedstone is offline
Junior Member
 
Join Date: Oct 2012
Posts: 17
Thanks: 3
Thanked 5 Times in 5 Posts
Default How to verify that fail2ban is working
I'm running 9.1-Release, and I've opened up ssh.
fail2ban is running

In the periodic "security run output" I'm seeing, of course, numerous login failures.

Are these being logged somewhere and blocked? I looked in /var/log/fail2ban.log and these ip addresses are not showing up. It seems like when I ran deny hosts, before, I could see the ip's accumulating.

I do see in the pf rules, a placeholder for blacklist. Where does that point to?

Here's a snippet from "security run output"

Code:
potter42 pf denied packets:
+++ /tmp/security.nevytOEi      2013-03-06 13:01:07.819196827 -0500
+block drop in quick on ! lo0 inet from 127.0.0.0/8 to any [ Evaluations: 51798 Packets: 0 Bytes: 0 States: 0 ]
+block return in from no-route to any [ Evaluations: 28064 Packets: 0 Bytes: 0 States: 0 ]
+block return in log all [ Evaluations: 28064 Packets: 23948 Bytes: 3988996 States: 0 ]
+block return from <blacklist> to any [ Evaluations: 51798 Packets: 0 Bytes: 0 States: 0 ]

potter42 login failures:
Mar  5 20:30:38 potter42 sshd[86690]: Invalid user cucu from 117.79.91.214
Mar  5 20:31:28 potter42 sshd[86793]: Invalid user cucu from 117.79.91.214
Mar  5 20:31:30 potter42 sshd[86796]: Invalid user git from 117.79.91.214
Mar  5 20:31:32 potter42 sshd[86806]: Invalid user centos from 117.79.91.214
Mar  5 20:31:35 potter42 sshd[86812]: Invalid user ubuntu from 117.79.91.214

There are no ip's in these logs
Code:
 wc /etc/hosts.deniedssh /etc/blacklist 
       0       0       0 /etc/hosts.deniedssh
       0       0       0 /etc/blacklist
       0       0       0 total
[root@potter42 ~]# egrep "\d{3}" /var/log/fail2ban.log 
[root@potter42 ~]# 
[root@potter42 ~]# echo "is fail2ban really running?"
is fail2ban really running?
[root@potter42 ~]# pgrep -fl fail2ban
2488 /usr/local/bin/python2.7 /usr/local/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
[root@potter42 ~]#
Reply With Quote
The Following User Says Thank You to johnedstone For This Useful Post:
sg1efc (03-07-2013)
  #9  
Old 03-07-2013, 09:33 PM
sg1efc sg1efc is offline
Senior Member
 
Join Date: Jan 2012
Location: USA
Posts: 257
Thanks: 450
Thanked 8 Times in 8 Posts
Default
Originally Posted by johnedstone View Post
I'm running 9.1-Release, and I've opened up ssh.
fail2ban is running

In the periodic "security run output" I'm seeing, of course, numerous login failures.

Are these being logged somewhere and blocked? I looked in /var/log/fail2ban.log and these ip addresses are not showing up. It seems like when I ran deny hosts, before, I could see the ip's accumulating.

I do see in the pf rules, a placeholder for blacklist. Where does that point to?
I don't know anything about Fail2Ban unfortunately, but if you haven't gone here yet, the Fail2Ban site might have your answer somewhere:
http://www.fail2ban.org/wiki/index.p...mmunity_Portal

:-)
__________________
PC-BSD totally rocks! Thanks A Lot to everyone who has helped create and improve it.

http://www.nwbackup.com
Reply With Quote
The Following User Says Thank You to sg1efc For This Useful Post:
johnedstone (03-14-2013)
  #10  
Old 03-08-2013, 01:32 AM
johnedstone johnedstone is offline
Junior Member
 
Join Date: Oct 2012
Posts: 17
Thanks: 3
Thanked 5 Times in 5 Posts
Default
Okay, thanks .. I've edited /usr/local/etc/fail2ban/jail.conf, setting the sshd-ipfw block to true. And, restarting fail2ban. Let's see if that does it.
Reply With Quote
The Following User Says Thank You to johnedstone For This Useful Post:
sg1efc (03-08-2013)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:23 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.