FreeBSD - fail2ban

fail2ban

vorsicht : muss überarbeitet werden,

# portmaster security/py-fail2ban

http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration

/etc/rc.conf

# sysrc fail2ban_enable="YES"

/usr/local/etc/fail2ban/fail2ban.local

# Fail2Ban main configuration file
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in fail2ban.local file, e.g.:
#
# [Definition]
# loglevel = 4
#

[Definition]

# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = INFO

# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock

/usr/local/etc/fail2ban/jail.local

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime  = 86400
#bantime  = 120

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 43200
#findtime  = 120

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto

[ssh-pf]
# this „fail2ban-jail“ is switched on and it combines the filter.d/sshd.conf with action.d/pf.conf
enabled  = true
port     = 9922
UseDNS   = yes
filter   = sshd
action   = pf
           sendmail-whois[name=SSH, dest=root, sender=root]
logpath  = /var/log/auth.log
maxretry = 2

[ftp-pf]
# this „fail2ban-jail“ is switched on and it combines the filter.d/bsdftp.conf with action.d/pf.conf
enabled  = false
port     = 9921
UseDNS   = yes
filter   = bsdftp
bantime  = 3600
action   = pf
           sendmail-whois[name=FTP, dest=root, sender=root]
logpath  = /var/log/xferlog
maxretry = 5

[postfix-pf]
enabled  = true
port     = smtp
filter   = postfix
action   = pf
           sendmail-whois[name=smtp, dest=root, sender=root]
logpath  = /var/log/maillog
maxretry = 5
bantime  = 1200
findtime  = 1100

[apache-dipmag-dipmag]
enabled  = true
port     = all
filter   = apache-badbots
action   = pf
           sendmail-whois[name=apache-dipmag-badbots, dest=root, sender=root]
logpath  = /usr/local/www/log/httpd-access.log
maxretry = 10
bantime  = 1200
findtime  = 300

/etc/pf.conf

# #fail2ban
anchor "f2b/*"

/etc/newsyslog.conf

# /var/log/fail2ban.log       600  7      * @T00  JC

start

# service fail2ban start

sonstiges

anzeigen der Tabelle ssh

# pfctl -a "f2b/ssh" -s Tables
f2b-ssh

anzeigen der IPs

# pfctl -a "f2b/ssh" -t f2b-ssh -Ts
46.148.20.25
193.188.22.188

löschen einer IP

# pfctl -a "f2b/ssh" -t f2b-ssh -T delete xxx.xxx.xxx.xxx

sperren einer ganzen class-B (hier hotmail.com)

# pfctl -t fail2ban -T add 65.55.0.0/16