# Fail2Ban and FreeBSD



## fred974 (Jan 5, 2016)

Hello,

I just installed security/py-fail2ban using `pkg install py27-fail2ban`. I then created /usr/local/etc/fail2ban/jail.d/ssh-pf.local with the following:

```
[ssh-pf]

enabled  = true
filter   = bsd-sshd
action   = pf
#          sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost]
logpath  = /var/log/auth.log
bantime  = 5400
findtime = 600
maxretry = 3
```

I now want to create some default setting so I `vi /usr/local/etc/fail2ban/jail.local` with the following setting:

```
[DEFAULT]
backend         = auto
bantime         = 5400
findtime        = 600
maxretry        = 5
destemail       = webmaster@me.com
ignoreip        = 127.0.0.1/8 213.146.159.xxx
logtargets      = /var/log/fail2ban.log
```
When renaming jail.conf to jail.local, do I loose everything that I haven't copied across from jail.conf?

Also when restarting the fail2ban service fail2ban clears the chain for the filter and parses the current log for matches, not the rotated logs. So you don't ban any IPs that were banned before logrotate rotated the old log.
will adding the following solve this problem?
/actions.d/pf.local

```
actionban = /sbin/pfctl -t fail2ban -T add <ip>/32 && /sbin/pfctl -k <ip> echo <ip> >> /etc/pf-files/fail2ban.pftable
```


```
table <fail2ban> counters file "/etc/pf-files/fail2ban.pftable"
```

Thank you


----------



## fred974 (Jan 6, 2016)

Hi,
Could anyone please help. I'm really stuck.
When renaming jail.conf to jail.local, do I loose everything that I haven't copied across from jail.conf?

Google isn't helping much on this subject


----------



## SirDice (Jan 6, 2016)

It's been a while but I don't think you're supposed to rename or copy anything. If I remember correctly you can use the *.local files to overrule settings from the *.conf files. That way your settings won't get overwritten if you reinstall or update fail2ban.


----------



## miklosq (Jan 8, 2016)

AFAIK, yes, you override certain keywords in the /usr/local/etc/fail2ban/jail.local . They expected to change the default behaviour for all jails.

However, whatever you put into the jail configuration -like you did above in the ssh-pf- will be taken into account per jail configuration. So, for example, if you have a default bantime of *600* , but you provide a different value in the jail config, the latter one will take effect. In my case, I have got the following in the /usr/local/etc/fail2ban/jail.d/sshd.conf :


```
enabled=true
port=ssh
bantime=3600
logpath = /var/log/messages
```

Then the _bantime_ for that jail in question will be *3600 *instead of *600*. As for the rotated logs, the newer version of fail2ban , AFAIR v0.9 and above, there is wildcard support to the _logpath_ keyword option, so that it would parse the compressed logfiles, too. See manual here.  

The default current _logtarget _keyword setting can be easily extracted with the following command:


```
[root@host /usr/local/etc/fail2ban/jail.d]# fail2ban-client get logtarget
Current logging target is:
`- /var/log/fail2ban.log
[root@host /usr/local/etc/fail2ban/jail.d]#
```
Did you try the *fail2ban-client* command?

As for me, I don't care about banning old IPs that have been banned previously or have bad history. An IP can become infected only for a certain amount of time, then the malicious software may be removed and the same IP may become "clean"


----------

