I’ve come across a number of posts describing how to set up
fail2ban on FreeBSD. Every damn one of them
modifies a .conf
file which is a fail2ban no-no. And the
package in ports even tells you this:
1 2 3 4 5 6 7 8 9 10 | Please do not edit the fail2ban.conf, jail.conf, or any other files in the distributen as they will be overwritten upon each upgrade of the port. Instead, create new files named *.local e.g. fail2ban.local or jail.local. For more information, see the official manual: http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration If you have custom filters or actions and you are upgrading from 0.9.x please check them. |
So I’m going to describe here how you configure fail2ban in FreeBSD
to keep an eye on ssh failed logins without changing any of the
distributed .conf
files and maybe people will stop doing that.
First, create the file for the ipfw rules in /usr/local/etc/ipfw.rules
:
|
|
To get these to be run on boot run these commands:
|
|
To get this working without rebooting, run service ipfw restart
.
Next up, install fail2ban
: pkg install py36-fail2ban
Now you just need to configure it. Add the following two files:
/usr/local/etc/fail2ban/action.d/ipfw-table.local
:
|
|
/usr/local/etc/fail2ban/jail.local
:
|
|
Note changing findtime
and bantime
to prime numbers a bit larger
than those defaults will probably frustrate attackers a little bit more.
Running primes 3600 4000
can give you some options.
To get this working without rebooting, run service fail2ban restart
.
There you go. No distributed .conf
files modified. This is now easy
to keep up to date while maintaining your customisations.