Fail2ban on FreeBSD
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits…
It can be usefull to ban bots who try to bruteforce your ssh and flood your logs (another solution is to restrict allowed IP or change sshd port).
Here a quick how-to to enable fail2ban on FreeBSD, in combination with pf (packet filter).
Update 07/05/2015 : This works on FreeBSD 9.x. I haven’t tested it against FreeBSD 10.x yet.
First, install it, use pkg, portinstall, whatever :
# pkg install py27-fail2banThen go to /usr/local/etc/fail2ban and create the file jail.d/ssh-pf.local
[ssh-pf]
enabled = true
filter = sshd
action = pf
# sendmail-whois[name=SSH, dest=root@localhost, sender=noreply@localhost]
logpath = /var/log/auth.log
findtime = 600
maxretry = 3
bantime = 3600You can of course configure maxretry/bantime/findtime or sending mails.
I use pf in action (‘action = pf’), you can see what this action do in action.d/pf.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
[Init]
tablename = fail2banWhen ‘action’ is triggered, fail2ban launch pfctl -t <tablename> -T add <ip>/32 to add it to pf table ‘fail2ban’.
It’s now ok on fail2ban side (easy right ?)
On pf side, in /etc/pf.conf (blank by default, adapt it if you already have pf rules), you need to add a rule to block all IPs in the fail2ban table, for example :
ext_if="re0" # your interface !
table <fail2ban> persist
block quick proto tcp from <fail2ban> to $ext_if port sshNow, we need to start pf, then fail2ban :
/etc/rc.d/pf onestart
/usr/local/etc/rc.d/fail2ban onestartI use onestart, with the assumption that it’s the first start of pf and fail2ban, you will need to add pf and fail2ban in /etc/rc.conf to auto start them on boot.
Now you can look in /var/log/fail2ban.log to see detected IP and applied ban.
To list current banned IP :
pfctl -t fail2ban -T showSources: