Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking for exploits…
It can be usefull to ban bots who try to bruteforce your ssh and flood your logs (another solution is to restrict allowed IP or change sshd port).
Here a quick how-to to enable fail2ban on FreeBSD, in combination with pf (packet filter).
Update 07/05/2015 : This works on FreeBSD 9.x. I haven’t tested it against FreeBSD 10.x yet.
First, install it, use pkg, portinstall, whatever :
Then go to /usr/local/etc/fail2ban and create the file jail.d/ssh-pf.local
You can of course configure maxretry/bantime/findtime or sending mails.
I use pf in action (‘action = pf’), you can see what this action do in action.d/pf.conf
When ‘action’ is triggered, fail2ban launch pfctl -t <tablename> -T add <ip>/32 to add it to pf table ‘fail2ban’.
It’s now ok on fail2ban side (easy right ?)
On pf side, in /etc/pf.conf (blank by default, adapt it if you already have pf rules), you need to add a rule to block all IPs in the fail2ban table, for example :
Now, we need to start pf, then fail2ban :
I use onestart, with the assumption that it’s the first start of pf and fail2ban, you will need to add pf and fail2ban in /etc/rc.conf to auto start them on boot.
Now you can look in /var/log/fail2ban.log to see detected IP and applied ban.
To list current banned IP :