FreeNAS + Fail2ban for ssh block using hosts.allow

onthax

Explorer
Joined
Jan 31, 2012
Messages
81
Hi,
I have been following your tutorial and I have one concern.
After /etc/rc.conf, you exit the fail2ban jail then require the /etc/hosts.allow to be edited.

My problem is that my /etc/hosts.allow is completely empty, this implies that something is not quite right.
Any assistance?

Thanks

Yes, new version of freenas wipes the /etc/hosts.allow on reboot
please upvote or comment on this bug if you want to use this.


i get around this by having a post startup task to

cp /conf/base/etc/hosts.allow /etc/hosts.allow
 

relli10

Cadet
Joined
Mar 20, 2015
Messages
9
Edit: I got distracted while drafting a response and Onthax jumped in front!

Hi,
I have been following your tutorial and I have one concern.
After /etc/rc.conf, you exit the fail2ban jail then require the /etc/hosts.allow to be edited.

My problem is that my /etc/hosts.allow is completely empty, this implies that something is not quite right.
Any assistance?

Thanks

Are you using version 11.3 of FreeNAS? If you are, there is an unresolved bug that clears /etc/hosts.allow on FreeNAS restarts - https://jira.ixsystems.com/browse/NAS-105603

To overcome this, I have edited the /conf/base/etc/hosts.allow as per the instructions in the original Onthax post (see quote below) and then manually copy this to the root of the host system, by execute the following command manually after every reboot. I do this every time I restart the FreeNAS host.

Code:
root@freenas:~ # cp /conf/base/etc/hosts.allow /etc/hosts.allow

Hope this helps!


mount -uw /

Edit /conf/base/etc/hosts.allow to make changes persistent across reboots.. Be careful what you do with USB mounted. You can brick your system.. This will allow your instruction to check hosts.evil to be re-applied at startup.

Above ALL : ALL : allow put in
Code:
# enable fail2ban
sshd : /mnt/PATHTOJAIL/etc/hosts.evil : deny

# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow
 
Last edited:

Buttshill

Cadet
Joined
Apr 23, 2020
Messages
3
Many thanks - I will follow that. Is it possible to use a "crontab @Reboot" task to do the copy on reboots? This would probably work on Linux, but just getting to grip with FreeBSD.
 

onthax

Explorer
Joined
Jan 31, 2012
Messages
81
Its an option in the Freenas GUI under Tasks > Init/Shutdown Scripts
run as post init.
 
Joined
Jan 7, 2015
Messages
1,150
Im a day late and dollar short as usual, but I can add that I do believe that I use myfail2ban + apache jails hosts.deny file as my FN hosts.deny. My apache jail also looks to the FN host logs via cleverly edited regex to populate the apache/hosts.deny file and on reboot in a similar way the apache hosts.deny file is substituted for the blank FN/hosts.deny file. I really forgot about fail2ban once I started with pfBlockerNG (pfSense) as it blanket blocks specific countries via GeoIP from any access on any ports. In fact I only allow persons with US IP to connect at all to any service via WAN and that seems to help significantly, but easily defeated with a VPN hop to the US. But fail2ban quietly it does its thing as a backup.. Failed SSH or port 80 or 443 connect and your done forever on that IP. I just looked at my hosts.deny file and it has blacklisted 24,802 IP addresses. pfBlocker has done significantly more at 142,631.

Also changing your default ssh port almost stops attempts altogether, if attempted SSH are what you are trying to defeat.
 

Buttshill

Cadet
Joined
Apr 23, 2020
Messages
3
Hi John,
I have fail2ban running on my Opensuse and it works well. I use a non standard port for SSH and so far I have banned nearly 1500 IPs in a month. So please don't rely on a non-standard port to stop intruders.
 

Volte

Dabbler
Joined
Feb 11, 2016
Messages
19
Edit /conf/base/etc/hosts.allow to make changes persistent across reboots.. Be careful what you do with USB mounted. You can brick your system.. This will allow your instruction to check hosts.evil to be re-applied at startup.
Is this part working for anyone else? Is my setup screwed up? When I make changes in those files (/conf/base/etc/...), they do stick, but never propagate to the root (e.g. /etc/hosts.allow) on reboot. I've tried linking (ln -s) the files, but that gets blown away too. The files are empty on reboot.

Also, when I search google for information on the exact purpose of /conf/base/..., top hit is to a similar question with an unhelpful answer from a mod lol, nice. If I search the forums, I find a bunch of disparate posts indirectly referencing these locations with implications that it is intended to work this way, but I can't find any official statement that backs this up.

So, to summarize
1. Is it supposed to work this way, and...
2. Is it working this way for anyone else?
3. Are there any known/common reasons why this wouldn't be working? Clearly the overwrite is working, because the file is blank on reboot...

Cheers!
 

onthax

Explorer
Joined
Jan 31, 2012
Messages
81
Is this part working for anyone else? Is my setup screwed up? When I make changes in those files (/conf/base/etc/...), they do stick, but never propagate to the root (e.g. /etc/hosts.allow) on reboot. I've tried linking (ln -s) the files, but that gets blown away too. The files are empty on reboot.

Also, when I search google for information on the exact purpose of /conf/base/..., top hit is to a similar question with an unhelpful answer from a mod lol, nice. If I search the forums, I find a bunch of disparate posts indirectly referencing these locations with implications that it is intended to work this way, but I can't find any official statement that backs this up.

So, to summarize
1. Is it supposed to work this way, and...
2. Is it working this way for anyone else?
3. Are there any known/common reasons why this wouldn't be working? Clearly the overwrite is working, because the file is blank on reboot...

Cheers!

As per a couple of posts up, this behavior was changed, https://jira.ixsystems.com/browse/NAS-105603

Solution is to have a startup script.
 

Volte

Dabbler
Joined
Feb 11, 2016
Messages
19
Top