Wednesday, May 5, 2010

FreeBSD 8.x and Fail2ban-0.8.4 for SSH-IPFW

I couldn't find a ton of documentation on this topic, but it wasn't too hard to figure out once I was on the correct path.

First we have to begin by enabling the firewall (IPFW) on FreeBSD. Version 8.x does not require the kernel being rebuilt to support this, but we do need to enable the module. Use a text editor (such as VI) to open the rc.conf file located in /etc.

$ vi /etc/rc.conf

Add a line that dynamically loads the IPFW on boot to your rc.conf file.

firewall_enable="YES"

NOTE: If this line already exists, just leave it, as your firewall was likely enabled during the installation. Reboot your machine after (if) the change is made.

In order to complete the installation of Fail2ban, the portsnap utility was used to gather ports.

$ portsnap fetch
$ portsnap update

Change directory to the fail2ban source:

$ cd /usr/ports/security/py-fail2ban

Run a 'make' on the py-fail2ban package:

$ make install clean

NOTE: If you already installed a previous version of fail2ban, please issue the following. You may encounter some errors about not being completely deinstalled, but you should be able to ignore these. YRMV.

$ make deinstall

$ make reinstall

Change to the fail2ban config directory and use a text editor to modify the fail2ban jail file (jail.conf). Again, I used VI.

$ cd /usr/local/etc/fail2ban

$ vi jail.conf

Find the entry in jail.conf labeled [ssh-ipfw]. Modify this section so that it looks similar to the output (below). Please replace the X.X.X.X with the IP address that the active network interface for SSHD is using.

[ssh-ipfw]

enabled = true

filter = sshd

action = ipfw[localhost=X.X.X.X]

sendmail-whois[name="SSH,IPFW", dest=user@yourchosendomain.com]

logpath = /var/log/sshd.log

ignoreip = 1.2.3.4

NOTE: It's important to note the location of the log path. I configured my SSH daemon to log to /var/log/sshd.log; yours may vary. Additionally, the ignoreip should be set to an IP address that you always want to be able to access the machine.

Now it's necessary to make some modifications to the IPFW actions that are placed on offending IP addresses attempting to authenticate into your machine. I took this portion from the configuration located on the wiki for fail2ban on OS X.

$ cd /usr/local/etc/fail2ban/action.d

$ vi ipfw.conf

Modify the file so it resembles the below snippet and make sure to comment out or remove the default line as I have done.

#actionban = ipfw add deny tcp from to

actionban = t=150

while [ `ipfw list |grep -ic 00$t | awk '{print $1;}'` != '0' ]

do ((++t))

done

ipfw add $t deny tcp from to any

Save the above file, if you have not already done so, and let's restart the service for fail2ban.

$ /usr/local/etc/fail2ban restart

You can now check to see if this works by doing bruteforce auths from another ip address, if available. Fail2ban should be updating the email recipient, which was previously entered, when a block occurs. Additionally, you can check the status of IPFW by issuing the below command.

$ ipfw list