fail2ban

[drulavigne]

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. The FreeBSD port adds support for PF and IPFW.

Ports location is security/py-fail2ban

[jag3773]

This would be a great addition.

[Beanpole]

I just created a module for this program. It should appear in the AppCafe once it build and is approved.

[rockworldmi]

There's denyhost by default installed in BASE system. if PC-BSD gives option for selecting other options like fail2ban would be nice ...and it can be incorporated into GUI firewall in 9.1

[Beanpole]

The py-fail2ban PBI's have just been released. They should be available in the AppCafe within 24 hours.

[rockworldmi]

Thanks got it ..

[sg1efc]

Originally Posted by drulavigne

Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. The FreeBSD port adds support for PF and IPFW. Ports location is security/py-fail2ban

Seems like a great addition to computer/server security. Thanks a lot Dru.

[johnedstone]

I'm running 9.1-Release, and I've opened up ssh.
fail2ban is running

In the periodic "security run output" I'm seeing, of course, numerous login failures.

Are these being logged somewhere and blocked? I looked in /var/log/fail2ban.log and these ip addresses are not showing up. It seems like when I ran deny hosts, before, I could see the ip's accumulating.

I do see in the pf rules, a placeholder for blacklist. Where does that point to?

Here's a snippet from "security run output"

Code:

potter42 pf denied packets: +++ /tmp/security.nevytOEi 2013-03-06 13:01:07.819196827 -0500 +block drop in quick on ! lo0 inet from 127.0.0.0/8 to any [ Evaluations: 51798 Packets: 0 Bytes: 0 States: 0 ] +block return in from no-route to any [ Evaluations: 28064 Packets: 0 Bytes: 0 States: 0 ] +block return in log all [ Evaluations: 28064 Packets: 23948 Bytes: 3988996 States: 0 ] +block return from <blacklist> to any [ Evaluations: 51798 Packets: 0 Bytes: 0 States: 0 ] potter42 login failures: Mar 5 20:30:38 potter42 sshd[86690]: Invalid user cucu from 117.79.91.214 Mar 5 20:31:28 potter42 sshd[86793]: Invalid user cucu from 117.79.91.214 Mar 5 20:31:30 potter42 sshd[86796]: Invalid user git from 117.79.91.214 Mar 5 20:31:32 potter42 sshd[86806]: Invalid user centos from 117.79.91.214 Mar 5 20:31:35 potter42 sshd[86812]: Invalid user ubuntu from 117.79.91.214

There are no ip's in these logs

Code:

wc /etc/hosts.deniedssh /etc/blacklist 0 0 0 /etc/hosts.deniedssh 0 0 0 /etc/blacklist 0 0 0 total [root@potter42 ~]# egrep "\d{3}" /var/log/fail2ban.log [root@potter42 ~]# [root@potter42 ~]# echo "is fail2ban really running?" is fail2ban really running? [root@potter42 ~]# pgrep -fl fail2ban 2488 /usr/local/bin/python2.7 /usr/local/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock [root@potter42 ~]#

[sg1efc]

Originally Posted by johnedstone

I'm running 9.1-Release, and I've opened up ssh. fail2ban is running In the periodic "security run output" I'm seeing, of course, numerous login failures. Are these being logged somewhere and blocked? I looked in /var/log/fail2ban.log and these ip addresses are not showing up. It seems like when I ran deny hosts, before, I could see the ip's accumulating. I do see in the pf rules, a placeholder for blacklist. Where does that point to?

I don't know anything about Fail2Ban unfortunately, but if you haven't gone here yet, the Fail2Ban site might have your answer somewhere:
http://www.fail2ban.org/wiki/index.p...mmunity_Portal

:-)

[johnedstone]

Okay, thanks .. I've edited /usr/local/etc/fail2ban/jail.conf, setting the sshd-ipfw block to true. And, restarting fail2ban. Let's see if that does it.