Securing FreeBSD server with Fail2Ban and IPFW
I’ve been playing with a FreeBSD machine for a while now and my primary server now runs FreeBSD 😀
So I came across this problem: installing Fail2Ban with IPFW.
FreeBSD has three different firewalls, so it’s difficult for any upstream application to decide on what kind of setup it should advocate. There is no one-size-fits-for-all. I read about various firewalls, and since I wanted to stick with FreeBSD only, I decided to use IPFW.
Fail2ban is a very useful script to prevent brute force attacks against various system daemons. And the best part about it is, it works on regular expressions and user configured commands for banning and unbanning IP addresses.
IPFW has lookup tables feature which I used here. This is one of the IPFW rules in my script:
ipfw add deny all from 'table(1)' to any dst-port 22 in
So, it will block any traffic for IP addresses found in table number one.
Now, Fail2Ban Jail configuration /usr/local/etc/fail2ban/jail.conf :
[ssh-ipfw]
enabled = true
filter = bsd-sshd
action = ipfw-ssh
logpath = /var/log/sshd/current
maxretry = 3
Go to /usr/local/etc/fail2ban/action.d and copy ipfw.conf to ipfw-ssh.conf
Open ipfw-ssh.conf in your favorite text editor and modify actionban and actionunban lines:
actionban = ipfw table 1 add <ip>
actionunban = ipfw table 1 delete <ip>
For the lazy, here’s a patch:
--- ipfw.conf 2012-12-06 04:51:29.000000000 +0100
+++ ipfw-ssh.conf 2013-04-17 12:00:57.000000000 +0200
@@ -37,7 +37,7 @@
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionban = ipfw add deny tcp from <ip> to <localhost> <port>
+actionban = ipfw table 1 add <ip>
# Option: actionunban
@@ -48,7 +48,7 @@
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
+actionunban = ipfw table 1 delete <ip>
[Init]
That’s it. Start your firewall and fail2ban.
Whenever fail2ban detects brute force attempts, it will add the IP to table number one, which will cause the connections to be blocked as per our primary IPFW rule. And it will be deleted after the bantime is over.
NileshGR 