onthax
Explorer
- Joined
- Jan 31, 2012
- Messages
- 81
I used to use denyhosts but ran into issues with it after an update of freenas in the past.
looked into fail2ban which can do the same thing, hope other people find this useful.
Purpose: Block SSHD attempts after multiple failed attempts as the amount of attacks i get slows my connection down.
Tested and written for FreeNAS 11.1
Create a new jail called fail2ban
create new storage for the jail
Source: /var/log
Destination: /var/newlogmount
Readonly = yes
create directory = yes
mounted = yes
SSH to your base FreeNAS server. Use
follow the prompts to install
to update to the latest version (not sure why but the 2nd time i got a newer version)
Modify jail.local
Append any ignore ranges to ignoreip
SSHd section under jails, modify it to match
Note:
bantime = -1 means it never gets unblocked, you can set another value but i haven't tested test a great deal as i just manually clear out if i get stuck
modify action.d/hostsdeny.conf
change the following
Start the service
Test from a remote server with failed logins and confirm it gets added and is all working.
Modify /etc/rc.conf. Add the line:
Exit your jail
Edit your /etc/hosts.allow file:
above put in:
Confirm you can't access it from the remote host you were testing with before.
Edit /mnt/PATHTOJAIL/fail2ban/etc/hosts.evil and remove all entries.
Move your auth.log (to prevent fail2ban re-adding the entry on reboot)
When you are happy with it all, mount the root FS:
Edit /conf/base/etc/hosts.allow to make changes persistent across reboots.. Be careful what you do with USB mounted. You can brick your system.. This will allow your instruction to check hosts.evil to be re-applied at startup.
Above ALL : ALL : allow put in
You should now be good to go.
Feedback appreciated.
looked into fail2ban which can do the same thing, hope other people find this useful.
Purpose: Block SSHD attempts after multiple failed attempts as the amount of attacks i get slows my connection down.
Tested and written for FreeNAS 11.1
Create a new jail called fail2ban
create new storage for the jail
Source: /var/log
Destination: /var/newlogmount
Readonly = yes
create directory = yes
mounted = yes
SSH to your base FreeNAS server. Use
jls
to show the jails:Code:
root@server:path # jls JID IP Address Hostname Path 5 fail2ban /mnt/storage/jails/fail2ban
jexec
the jid. root@server:path # jexec 5
touch /etc/hosts.evil
root@fail2ban:/ # pkg install security/py-fail2ban
follow the prompts to install
root@fail2ban:/ # pkg install security/py-fail2ban
to update to the latest version (not sure why but the 2nd time i got a newer version)
Code:
cd /usr/local/etc/fail2ban cp fail2ban.conf fail2ban.local cp jail.conf jail.local
Modify jail.local
Append any ignore ranges to ignoreip
Code:
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24
SSHd section under jails, modify it to match
Note:
bantime = -1 means it never gets unblocked, you can set another value but i haven't tested test a great deal as i just manually clear out if i get stuck
Code:
[sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. enabled = true mode = normal port = ssh logpath = /var/newlogmount/auth.log bantime = -1 backend = %(sshd_backend)s action = hostsdeny
modify action.d/hostsdeny.conf
change the following
Code:
[Init] # Option: file # Notes.: hosts.deny file path. # Values: STR Default: /etc/hosts.deny # file = /etc/hosts.evil
Start the service
service fail2ban onestart
tail -f /etc/hosts.evil
Test from a remote server with failed logins and confirm it gets added and is all working.
Modify /etc/rc.conf. Add the line:
Code:
fail2ban_enable="YES"
Exit your jail
exit
Edit your /etc/hosts.allow file:
above
Code:
ALL : ALL : allow
Code:
# enable fail2ban sshd : /mnt/PATHTOJAIL/etc/hosts.evil : deny # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a "First match wins" basis. ALL : ALL : allow
Confirm you can't access it from the remote host you were testing with before.
Edit /mnt/PATHTOJAIL/fail2ban/etc/hosts.evil and remove all entries.
Move your auth.log (to prevent fail2ban re-adding the entry on reboot)
mv /var/log/auth.log /var/log/auth.log.old
When you are happy with it all, mount the root FS:
mount -uw /
Edit /conf/base/etc/hosts.allow to make changes persistent across reboots.. Be careful what you do with USB mounted. You can brick your system.. This will allow your instruction to check hosts.evil to be re-applied at startup.
Above ALL : ALL : allow put in
Code:
# enable fail2ban sshd : /mnt/PATHTOJAIL/etc/hosts.evil : deny # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a "First match wins" basis. ALL : ALL : allow
You should now be good to go.
Feedback appreciated.
Last edited: