# fail2ban with jails



## dvl@ (Nov 21, 2014)

A recent Twitter discussion prompted me to consider fail2ban.  I'd be using it on a FreeBSD host and would be using to parse the logs of services in various jails (Apache, Postfix, Dovecot).

Have you already done this?


----------



## junovitch@ (Nov 22, 2014)

Haven't tried with jails but seems like it would be straightforward. Install, make a configuration for each service, and start it up. Here is an example for /usr/local/etc/fail2ban/jail.d/bsdftp.conf on mine.  Changing the log path to point inside a jail would be easy. Doing a search for specifying multiple "logpath" files showed this as the first result so it would seem like it's just a matter of specifying one for each jail:  http://serverfault.com/questions/486301/how-to-set-up-fail2ban-to-read-multi-log-in-a-jail

```
[bsdftp]

enabled  = true
filter   = bsdftp
action   = pf
logpath  = /var/log/auth.log
bantime  = 1800
findtime = 1800
maxretry = 5
```


----------



## SirDice (Nov 24, 2014)

Yep, just run fail2ban on the host and reference the files inside the jails (/jails/myjail/var/log/auth.log for example).


----------



## dvl@ (May 15, 2015)

It works.  http://dan.langille.org/2015/05/10/wordpress-and-fail2ban/


----------



## dvl@ (May 15, 2015)

BTW, my next goal: multiple actions for a given jail.d entry.  Anyone done that?  e.g. if something is doing nasty stuff on the website, block them from both http and ssh.


----------



## Remington (May 16, 2015)

I use fail2ban extensively with PF to block SSH, SASL, Dovecot, and Postfix brute-force and DoS attacks.  I also have custom-made scripts to log all permanent banned IP addresses so PF can reload the blacklist when restarted.  It works very well.  I plan to add Nginx to block scanners, spiders or requests for sensitive or missing files.

Need to be careful about http as http requests could be legitimate.  You can limit concurrent connections to single IP address via PF or Nginx config to block http DoS attacks.  Once that concurrent connection reaches its max then you can permanent ban that IP address.


----------



## Oko (May 16, 2015)

Remington said:


> I use fail2ban extensively with PF to block SSH, SASL, Dovecot, and Postfix brute-force and DoS attacks.  I also have custom-made scripts to log all permanent banned IP addresses so PF can reload the blacklist when restarted.  It works very well.  I plan to add Nginx to block scanners, spiders or requests for sensitive or missing files.
> 
> Need to be careful about http as http requests could be legitimate.  You can limit concurrent connections to single IP address via PF or Nginx config to block http DoS attacks.  Once that concurrent connection reaches its max then you can permanent ban that IP address.



Could you please post the configuration files or a link to your blog when you explain things? Thank you!


----------



## junovitch@ (May 16, 2015)

dvl@ said:


> BTW, my next goal: multiple actions for a given jail.d entry.  Anyone done that?  e.g. if something is doing nasty stuff on the website, block them from both http and ssh.



I've just been blocking all traffic once someone hits it enough to trigger an action by Fail2Ban.  That is accomplishing what you mentioned.  It's just the pf.conf rule below.  Are you currently doing something more more fine grained than this?


```
block drop in log quick on $wan_ifs from <fail2ban> to any
```


----------



## junovitch@ (May 16, 2015)

Remington said:


> ...  I also have custom-made scripts to log all permanent banned IP addresses so PF can reload the blacklist when restarted.  ...



For this in particular, security/py-fail2ban gained support for using a SQLite database for persistent storage of banned addresses.  I just checked the Freshports change log and that was introduced in the 0.9.0 update in May of 2014.  So you may be able to save some effort not duplicating that functionality with a custom script.


----------



## Remington (May 17, 2015)

Oko said:


> Could you please post the configuration files or a link to your blog when you explain things? Thank you!



My scripts are still in development but it works for now.  Feel free to modify or improve them if you wish.

Need to include this otherwise it will not work.
/etc/pf.conf

```
# Tables
table <fail2ban> persist file "/etc/pf.blacklist"

# Fail2ban
block in log quick on $ext_if from <fail2ban> to any
```

SSH - use custom pf to temporary ban and unban IP addresses.
pf-offender - IP address permanently banned after 3 temporary bans.
/usr/local/etc/fail2ban/jail.local

```
[DEFAULT]
bantime = 3600
findtime = 604800
maxretry = 3

[sshd]
enabled  = true
filter  = bsd-sshd
action  = pf
logpath  = /var/log/auth.log
  /jails/web/var/log/auth.log

[pf-offender]
enabled  = true
filter  = pf-offender
action  = pf-offender
logpath  = /var/log/fail2ban.log
bantime  = -1
```

Custom pf script to ban and unban IP addresses.
/usr/local/etc/fail2ban/action.d/pf.local

```
[Definition]

actionban  = /usr/local/etc/fail2ban/scripts/pf-offender.sh add <ip>
actionunban  = /usr/local/etc/fail2ban/scripts/pf-offender.sh delete <ip>
```

Custom script to add IP to blacklist
/usr/local/etc/fail2ban/action.d/pf-offender.local

```
[Definition]

actionban  = /usr/local/etc/fail2ban/scripts/pf-offender.sh blacklist <ip>
```

This script monitors fail2ban's temporary bans from ssh, sasl, postfix, dovecot, etc.
/usr/local/etc/fail2ban/filter.d/pf-offender.local

```
[INCLUDES]

before  = common.conf

[Definition]

_daemon  = pf-offender
failregex  = NOTICE  \[\S*\] Ban <HOST>

ignoreregex =
```

This script is still in development and it works.  It creates two pf blacklist files in /etc directory.  Text file pf.blacklist is used by PF to repopulate PF table after restart or reload.  Another text file pf.blacklist.txt is created for logging history of permanent banned IP addresses.  The reason why I created separate blacklist file is because PF needs clean IP list to repopulate the PF table without the dates.  Don't forget to `chmod +x pf-offender.sh`.
/usr/local/etc/fail2ban/scripts/pf-offender.sh

```
#!/bin/tcsh

set cmd  = $1
set ip  = $2
set file  = `grep -c $ip /etc/pf.blacklist`
set table  = `pfctl -t fail2ban -T show | grep -c $ip`
set date  = `date +"%Y-%m-%d"`

# add temp banned ip to pf table
if ( $cmd == "add" && "$table" == "0" ) then
  pfctl -t fail2ban -T add $ip
endif

# delete temp banned ip from pf table
if ( $cmd == "delete" && "$file" == "0" ) then
  pfctl -t fail2ban -T delete $ip
endif

# add permanent banned ip to pf table and blacklisted file
if ( $cmd == "blacklist" && "$file" == "0" ) then
  # add ip if not found in table
  if ( "$table" == "0" ) then
  pfctl -t fail2ban -T add $ip
  endif
  echo $ip >> /etc/pf.blacklist
  echo $date - $ip >> /etc/pf.blacklist.txt
endif

# populate permanent banned ip to pf table from blacklist file
# this is not needed as pf uses the blacklist file
if ( $cmd == "populate" ) then
  foreach line ( "`cat /etc/pf.blacklist`" )
  pfctl -t fail2ban -T add $line
  end
endif
```

Hope this helps.


----------



## Remington (May 17, 2015)

junovitch said:


> For this in particular, security/py-fail2ban gained support for using a SQLite database for persistent storage of banned addresses.  I just checked the Freshports change log and that was introduced in the 0.9.0 update in May of 2014.  So you may be able to save some effort not duplicating that functionality with a custom script.



I'm not aware of this changes but my script does more and gives me the flexibility to modify the blacklist file if needed.  I do get many IP addresses that are similar so I modify the blacklist with a blanket ban on IP addresses to keep the list short.


----------



## fred974 (Jan 1, 2016)

Hi,
What are the file permission for /etc/pf.blacklist? and does it need to be own by root?


----------

