FreeBSD - fail2ban
fail2ban
vorsicht : muss überarbeitet werden,
# portmaster security/py-fail2banhttp://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration
/etc/rc.conf
# sysrc fail2ban_enable="YES"/usr/local/etc/fail2ban/fail2ban.local
# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = 4
#
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
#
loglevel = INFO
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock/usr/local/etc/fail2ban/jail.local
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 86400
#bantime = 120
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 43200
#findtime = 120
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto
[ssh]
# pfctl -a "f2b/ssh" -s Tables
# pfctl -a "f2b/ssh" -t f2b-ssh -Ts
#
enabled = true
port = 9922
UseDNS = yes
filter = sshd
action = pf[port={9922}, name=ssh]
sendmail-whois[name=SSH, dest=root, sender=root]
logpath = /var/log/auth.log
maxretry = 2
[postfix]
# pfctl -a "f2b/smtp" -s Tables
# pfctl -a "f2b/smtp" -t f2b-smtp -Ts
#
enabled = true
port = smtp
filter = postfix
action = pf[port={25}, name=smtp]
# sendmail-whois[name=smtp, dest=root, sender=root]
logpath = /var/log/maillog
maxretry = 10
bantime = 86400
findtime = 3600
[courier]
# pfctl -a "f2b/courier" -s Tables
# pfctl -a "f2b/courier" -t f2b-courier -Ts
#
enabled = true
port = 993, 995
filter = courier-auth
action = pf[port={993 995}, name=courier]
sendmail-whois[name=courier, dest=root, sender=root]
logpath = /var/log/maillog
maxretry = 10
bantime = 86400
findtime = 3600
/etc/pf.conf
#fail2ban - Zeile 44
anchor "f2b/*"/etc/newsyslog.conf
# /var/log/fail2ban.log 600 7 * @T00 JCstart
# service fail2ban startsonstiges
anzeigen der Tabelle ssh
# pfctl -a "f2b/ssh" -s Tables
f2b-sshanzeigen der IPs
# pfctl -a "f2b/ssh" -t f2b-ssh -Ts
46.148.20.25
193.188.22.188löschen einer IP
# pfctl -a "f2b/ssh" -t f2b-ssh -T delete xxx.xxx.xxx.xxxsperren einer ganzen class-B (hier hotmail.com)
# pfctl -t fail2ban -T add 65.55.0.0/16