Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

FreeNAS + Fail2ban for ssh block using hosts.allow

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

onthax

Member
Joined
Jan 31, 2012
Messages
65
Hi,
I have been following your tutorial and I have one concern.
After /etc/rc.conf, you exit the fail2ban jail then require the /etc/hosts.allow to be edited.

My problem is that my /etc/hosts.allow is completely empty, this implies that something is not quite right.
Any assistance?

Thanks
Yes, new version of freenas wipes the /etc/hosts.allow on reboot
please upvote or comment on this bug if you want to use this.


i get around this by having a post startup task to

cp /conf/base/etc/hosts.allow /etc/hosts.allow
 

relli10

Neophyte
Joined
Mar 20, 2015
Messages
6
Edit: I got distracted while drafting a response and Onthax jumped in front!

Hi,
I have been following your tutorial and I have one concern.
After /etc/rc.conf, you exit the fail2ban jail then require the /etc/hosts.allow to be edited.

My problem is that my /etc/hosts.allow is completely empty, this implies that something is not quite right.
Any assistance?

Thanks
Are you using version 11.3 of FreeNAS? If you are, there is an unresolved bug that clears /etc/hosts.allow on FreeNAS restarts - https://jira.ixsystems.com/browse/NAS-105603

To overcome this, I have edited the /conf/base/etc/hosts.allow as per the instructions in the original Onthax post (see quote below) and then manually copy this to the root of the host system, by execute the following command manually after every reboot. I do this every time I restart the FreeNAS host.

Code:
root@freenas:~ # cp /conf/base/etc/hosts.allow /etc/hosts.allow

Hope this helps!


mount -uw /

Edit /conf/base/etc/hosts.allow to make changes persistent across reboots.. Be careful what you do with USB mounted. You can brick your system.. This will allow your instruction to check hosts.evil to be re-applied at startup.

Above ALL : ALL : allow put in
Code:
# enable fail2ban
sshd : /mnt/PATHTOJAIL/etc/hosts.evil : deny

# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow
 
Last edited:

Buttshill

Newbie
Joined
Apr 23, 2020
Messages
3
Many thanks - I will follow that. Is it possible to use a "crontab @Reboot" task to do the copy on reboots? This would probably work on Linux, but just getting to grip with FreeBSD.
 

onthax

Member
Joined
Jan 31, 2012
Messages
65
Its an option in the Freenas GUI under Tasks > Init/Shutdown Scripts
run as post init.
 

John Digital

Neophyte Sage
Joined
Jan 7, 2015
Messages
660
Im a day late and dollar short as usual, but I can add that I do believe that I use myfail2ban + apache jails hosts.deny file as my FN hosts.deny. My apache jail also looks to the FN host logs via cleverly edited regex to populate the apache/hosts.deny file and on reboot in a similar way the apache hosts.deny file is substituted for the blank FN/hosts.deny file. I really forgot about fail2ban once I started with pfBlockerNG (pfSense) as it blanket blocks specific countries via GeoIP from any access on any ports. In fact I only allow persons with US IP to connect at all to any service via WAN and that seems to help significantly, but easily defeated with a VPN hop to the US. But fail2ban quietly it does its thing as a backup.. Failed SSH or port 80 or 443 connect and your done forever on that IP. I just looked at my hosts.deny file and it has blacklisted 24,802 IP addresses. pfBlocker has done significantly more at 142,631.

Also changing your default ssh port almost stops attempts altogether, if attempted SSH are what you are trying to defeat.
 

Buttshill

Newbie
Joined
Apr 23, 2020
Messages
3
Hi John,
I have fail2ban running on my Opensuse and it works well. I use a non standard port for SSH and so far I have banned nearly 1500 IPs in a month. So please don't rely on a non-standard port to stop intruders.
 

Volte

Junior Member
Joined
Feb 11, 2016
Messages
18
Edit /conf/base/etc/hosts.allow to make changes persistent across reboots.. Be careful what you do with USB mounted. You can brick your system.. This will allow your instruction to check hosts.evil to be re-applied at startup.
Is this part working for anyone else? Is my setup screwed up? When I make changes in those files (/conf/base/etc/...), they do stick, but never propagate to the root (e.g. /etc/hosts.allow) on reboot. I've tried linking (ln -s) the files, but that gets blown away too. The files are empty on reboot.

Also, when I search google for information on the exact purpose of /conf/base/..., top hit is to a similar question with an unhelpful answer from a mod lol, nice. If I search the forums, I find a bunch of disparate posts indirectly referencing these locations with implications that it is intended to work this way, but I can't find any official statement that backs this up.

So, to summarize
1. Is it supposed to work this way, and...
2. Is it working this way for anyone else?
3. Are there any known/common reasons why this wouldn't be working? Clearly the overwrite is working, because the file is blank on reboot...

Cheers!
 

onthax

Member
Joined
Jan 31, 2012
Messages
65
Is this part working for anyone else? Is my setup screwed up? When I make changes in those files (/conf/base/etc/...), they do stick, but never propagate to the root (e.g. /etc/hosts.allow) on reboot. I've tried linking (ln -s) the files, but that gets blown away too. The files are empty on reboot.

Also, when I search google for information on the exact purpose of /conf/base/..., top hit is to a similar question with an unhelpful answer from a mod lol, nice. If I search the forums, I find a bunch of disparate posts indirectly referencing these locations with implications that it is intended to work this way, but I can't find any official statement that backs this up.

So, to summarize
1. Is it supposed to work this way, and...
2. Is it working this way for anyone else?
3. Are there any known/common reasons why this wouldn't be working? Clearly the overwrite is working, because the file is blank on reboot...

Cheers!
As per a couple of posts up, this behavior was changed, https://jira.ixsystems.com/browse/NAS-105603

Solution is to have a startup script.
 

Volte

Junior Member
Joined
Feb 11, 2016
Messages
18
Top