Securing FreeBSD server with Fail2Ban and IPFW

I’ve been playing with a FreeBSD machine for a while now and my primary server now runs FreeBSD 😀
So I came across this problem: installing Fail2Ban with IPFW.

FreeBSD has three different firewalls, so it’s difficult for any upstream application to decide on what kind of setup it should advocate. There is no one-size-fits-for-all. I read about various firewalls, and since I wanted to stick with FreeBSD only, I decided to use IPFW.

Fail2ban is a very useful script to prevent brute force attacks against various system daemons. And the best part about it is, it works on regular expressions and user configured commands for banning and unbanning IP addresses.

IPFW has lookup tables feature which I used here. This is one of the IPFW rules in my script:

ipfw add deny all from 'table(1)' to any dst-port 22 in

So, it will block any traffic for IP addresses found in table number one.

Now, Fail2Ban Jail configuration /usr/local/etc/fail2ban/jail.conf :

enabled  = true
filter   = bsd-sshd
action = ipfw-ssh
logpath  = /var/log/sshd/current
maxretry = 3

Go to /usr/local/etc/fail2ban/action.d  and copy ipfw.conf  to ipfw-ssh.conf

Open ipfw-ssh.conf in your favorite text editor and modify actionban  and actionunban  lines:

actionban = ipfw table 1 add <ip>
actionunban = ipfw table 1 delete <ip>

For the lazy, here’s a patch:

--- ipfw.conf   2012-12-06 04:51:29.000000000 +0100
+++ ipfw-ssh.conf       2013-04-17 12:00:57.000000000 +0200
@@ -37,7 +37,7 @@
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
-actionban = ipfw add deny tcp from <ip> to <localhost> <port>
+actionban = ipfw table 1 add <ip>

 # Option:  actionunban
@@ -48,7 +48,7 @@
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
-actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
+actionunban = ipfw table 1 delete <ip>


That’s it. Start your firewall and fail2ban.
Whenever fail2ban detects brute force attempts, it will add the IP to table number one, which will cause the connections to be blocked as per our primary IPFW rule. And it will be deleted after the bantime  is over.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: