freebsd:fail2ban
Inhaltsverzeichnis
Fail2Ban
Manually unban IP
To unban a IP:
fail2ban-client set JAIL unbanip MYIP
Standard config
Edit /usr/local/etc/fail2ban/jail.local:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = localhost 192.168.0.251 # "bantime" is the number of seconds that a host is banned. bantime = 21600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 259200 # "maxretry" is the number of failures before a host get banned. maxretry = 3 [ssh] enabled = true filter = bsd-sshd logpath = /var/log/auth.log [asterisk] enabled = true filter = asterisk logpath = /var/log/asterisk/full [dovecot] enabled = true filter = dovecot [apache-auth] enabled = true filter = apache-auth maxretry = 8 apache_error_log = /usr/home/http/*/logs/error.log apache_access_log = /usr/home/http/*/logs/access.log [apache-badbots] enabled = true filter = apache-badbots apache_error_log = /usr/home/http/*/logs/error.log apache_access_log = /usr/home/http/*/logs/access.log [apache-botsearch] enabled = true filter = apache-botsearch apache_error_log = /usr/home/http/*/logs/error.log apache_access_log = /usr/home/http/*/logs/access.log [apache-noscript] enabled = true filter = apache-noscript apache_error_log = /usr/home/http/*/logs/error.log apache_access_log = /usr/home/http/*/logs/access.log [apache-overflows] enabled = true filter = apache-overflows apache_error_log = /usr/home/http/*/logs/error.log apache_access_log = /usr/home/http/*/logs/access.log [postfix] enabled = true filter = postfix [postfix-sasl] enabled = true filter = postfix-sasl
Drop connection while blocking
Some services like asterisk are not dropping a connection after a configurable amount of failures. So we add an action to fail2ban to help us here.
At first create a new file /usr/local/etc/fail2ban/action.d/tcpdrop.conf:
# Fail2Ban configuration file # # tcpdrop used to drop all opened tcp connections. # # Author: Matthias Fechner <idefix@fechner.net> # # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # # we don't enable tcpdrop automatically, as it will be enabled elsewhere actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # # we don't disable tcpdrop automatically either actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = tcpdrop -l -a | grep <ip> | sh # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # # note -r option used to remove matching rule actionunban =
Now we configure fail2ban to use the action pf and tcpdrop to block connections. Edit the file /usr/local/etc/fail2ban/jail.local:
[DEFAULT]
banaction = pf
action_drop = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
tcpdrop[name=%(__name__)s, port="%(port)s", protocol=%(protocol)s"]
action = %(action_drop)s
freebsd/fail2ban.txt · Zuletzt geändert: 2014/05/15 13:19 von idefix