# IPFW and Fail2Ban



## k1piee (May 11, 2011)

Hi,

I'm trying to configure fail2ban on my FreeBSD 8.2-RELEASE server but can't really get it to work. I've never tried fail2ban before, nor am I any good with firewall rules. I got a IPFW rules-script working just fine. However I'm a little bit confused how to get this to work properly.

/usr/local/fail2ban/jail.conf:


```
[DEFAULT]

ignoreip = 127.0.0.1 192.168.1.61

bantime  = 3600

findtime  = 600

maxretry = 3

backend = auto

[ssh-ipfw]

enabled  = true
filter   = sshd
action   = ipfw[localhost=any,minnum=01110,maxnum=01199]
           sendmail-whois[name="SSH,IPFW", dest=admin@server.com]
logpath  = /var/log/auth.log
ignoreip = 168.192.1.61
```

/usr/local/etc/fail2ban/action.d/ipfw.conf:

```
[Definition]

actionstart =
actionstop =
actioncheck =

actionban = ipfw add deny tcp from <ip> to <localhost> <port>
actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`

[Init]

port = ssh
localhost = 192.168.1.61
```

The rest of the fail2ban files is unmodified.

This is my IPFW rules-script:


```
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ssh (22), http (80) etc
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 80 in
$IPF 160 allow tcp from any to any 80 out

# allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
$IPF allow icmp from any to any icmptypes 0,3,4,8,11

# deny and log everything
$IPF 500 deny log all from any to any
```

I check the logs so that fail2ban is really started and I have this in the logs:


```
2011-05-11 13:37:35,066 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-05-11 13:37:35,066 fail2ban.jail   : INFO   Creating new jail 'ssh-ipfw'
2011-05-11 13:37:35,066 fail2ban.jail   : INFO   Jail 'ssh-ipfw' uses poller
2011-05-11 13:37:35,076 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2011-05-11 13:37:35,076 fail2ban.filter : INFO   Set maxRetry = 3
2011-05-11 13:37:35,077 fail2ban.filter : INFO   Set findtime = 600
2011-05-11 13:37:35,077 fail2ban.actions: INFO   Set banTime = 3600
2011-05-11 13:37:35,104 fail2ban.jail   : INFO   Jail 'ssh-ipfw' started
```

So it's pretty clear that fail2ban is started.

However when I try to ssh to my server from somewhere else on the internet a couple of times nothing happens, there is no firewall rules that gets added to block me for 3600 seconds or anything.

I checked the auth.log and see this:


```
May 11 13:54:38 server sshd[11828]: error: PAM: authentication error for user from IP-on-the-internet
May 11 13:54:39 server last message repeated 2 times
May 11 13:54:41 server sshd[11833]: error: PAM: authentication error for user from IP-on-the-internet
May 11 13:54:42 server last message repeated 2 times
May 11 13:54:44 server sshd[11838]: error: PAM: authentication error for user from IP-on-the-internet
May 11 13:54:45 server last message repeated 2 times
May 11 13:54:47 server sshd[11843]: error: PAM: authentication error for user from IP-on-the-internet
```

I check the firewallrules with this:


```
[root@server ~]# ipfw list
00010 allow ip from any to any via lo0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00080 allow icmp from any to any
00130 allow tcp from any to any dst-port 22 in
00140 allow tcp from any to any dst-port 22 out
00150 allow tcp from any to any dst-port 80 in
00160 allow tcp from any to any dst-port 80 out
00260 allow icmp from any to any icmptypes 0,3,4,8,11
00500 deny log ip from any to any
65535 deny ip from any to any
```

I tried a couple of times and nothing gets triggered. Do I need to modify my firewall-script? If so, how? Am I missing something else? I couldn't really find much information on IPFW and fail2ban so it's not that easy to get it up and running so any help is appreciated!

Recommendations on other software I can use it also appreciated if you know anything.

Thanks,
-Patric


----------



## k1piee (May 11, 2011)

Ok so I've tried different stuff with the firewall script and found out that even if fail2ban would trigger and add the firewall rule it wouldn't work as it would add the deny-rule on the bottom of the script after it allows the connection to SSH, for example.

I tried to manually add a rule that would deny my IP before everything else in the script and it blocked it out. So the question is: how do I modify my script so it will use the "deny" rules after the rest of the rules? I seriously suck at writing firewall rules so I really appreciate if someone could help me here.


Thanks,
-Patric


----------



## graudeejs (May 11, 2011)

I haven't read entire thread, and haven't tried to understand your script much, but why not to add IP to table, that is used in deny rule?


----------



## k1piee (May 16, 2011)

I installed OSSEC instead and it puts the IP in a table. Works great.


----------



## ecazamir (May 24, 2011)

I managed to make it work using this example, using a table.


----------



## JohnnyCashout (Aug 14, 2011)

I am using the table method and have my fail2ban jail setup, in fail2ban.log it says its watching /var/log/auth.log an maxretry=3  but I am able to repeatedly fail to enter the correct password 8+ times from an external ip and fail2ban does nothing.

I'm tailing security.log, auth.log and fail2ban.log and auth.log shoes the 'failed keyboard-interactive' messages but fail2ban isn't picking up on it


----------



## rockworldmi (Apr 26, 2012)

k1piee: can *I* install both fail2ban and ossec? *O*r is ossec sufficient? *A*lso is there a guide to install ossec in FreeBSD 9? *I* see three ports in FreeBSD 9, which one to choose?


----------

