I prepared a little howto for installing file2ban on FreeNAS 9.x
If any question, additional info or correction just let me know...
A. How to install fail2ban on FreeNAS 9.x
On FreeNAS 9.x it is possible to use PC-BSD PBI subsystem for installing non-FreeNAS plugins. Obviously u can not install fail2ban into jail - we need to secure whole freeNAS. So it is necessary to make changes directly in the FreeNAS system. This is also the reason why setup over GUI will not work and we need to use command line instead. Please note this can cause some consequences when upgrade of FreNAS will be made in future.
1. Login as root on Freenas in command line ( use “su” command )
2. We have to mount system for write operations:
mount -uw /
3. Download fail2ban.pbi from this address: http://ftp.pcbsd.org/pub/pbioutgoing/amd64/9/security/py-fail2ban/ and put somewhere on your NAS
4. Install fail2ban using PBI command:
pbi_add /somwhere/py-fail2ban-0.8.10-amd64.pbi
if you miss PBI subsystem you need to install it first:
pkg install pcbsd-utils
if you did not download signature for file2ban use this:
pbi_add —no-checksig /somwhere/py-fail2ban-0.8.10-amd64.pbi
5. FreeNAS is rebuilding config files every reboot ( /etc /var ) so we need to change some files to make our changes permanent. Our destination directory is /conf/base — there we have to put our files to make changes permanent after reboot and also there we will configure fail2ban in next step. Now we will copy fail2ban daemon to rc.d ,whole fail2ban config files to /etc and make necessary directory into /var/run
cp /usr/pbi/py-fail2ban-amd64/etc/rc.d/fail2ban /conf/base/rc.d/
cp -R /usr/pbi/py-fail2ban-amd64/etc/fail2ban /conf/base/etc/fail2ban/
mkdir /conf/base/var/run/fail2ban
That’s it! - now we need to make minimal configuration of fail2ban to work properly and than start the service
B. Basic fail2ban configuration
1. We need to setup fail2ban to start properly working. If you want to add IP addresses to blacklist on ssh connection after failed password attempt then it is necessary to make some changes in fail2ban jail.conf file. Please do not make changes directly in this file and copy it into jail.local (this is because when you upgrade fail2ban changes will not touch your jail.local config file):
cp /conf/base/etc/fail2ban/jail.conf /conf/base/etc/fail2ban/jail.local
2. Edit file jail.local, find section with ssh-ipfw and make changes:
nano /conf/base/etc/fail2ban/jail.local
[ssh-ipfw]
enabled = true
filter = sshd
# write your FreeNAS IPaddress on next line
action = ipfw[localhost=[B]192.168.2.168[/B]]
# write your email address if you want to receive information about banned IP's
sendmail-whois[name="SSH,IPFW", dest=yourmail@domain.com] logpath = /var/log/auth.log ignoreip = 168.192.0.1
save changes with Ctrl-X (Y)
In this file is also possible setup how long will IP address banned/unbaned and how many tries is possible before ban (bantime, maxretry). Default is 3 possible password failures and 600 seconds = 10 minutes. For testing purposes leave it as it is.
3. We have to make possible fail2ban to start:
echo fail2ban_enable=“YES” >> /conf/base/etc/rc.conf
C. Starting fail2ban
1. reboot system or if you can not then repeat A.5 step - copy necessary files to /etc/rc.d and /etc/fail2ban/ an make fail2ban directory in /var/run/. (do not forget make changes or copy it in jail.local and remount file system read only)
reboot
2. start fail2ban
service fail2ban start
D. Test fail2ban working properly
Try to tree times connect over ssh with bad password:
ssh username:password@IPaddress
If fail2ban works properly you will be banned after three attempts.
Wait 10 minutes and you will be unbaned.
You can check in thees log files:
/var/log/auth.log
/var/log/fail2ban.log
cat /var/log/file2ban.log
REFERENCES:
How to install PBI on FreeNAs:
http://doc.freenas.org/index.php/Installing_a_PC-BSD_PBI
install fail2ban on 8.x FreeNAS
https://sites.google.com/site/aganimkarmiel/home/free-time/webserver/freenas-and-fail2ban
fail2ban description:
http://en.wikipedia.org/wiki/Fail2ban
fail2ban configuration:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration
If any question, additional info or correction just let me know...
A. How to install fail2ban on FreeNAS 9.x
On FreeNAS 9.x it is possible to use PC-BSD PBI subsystem for installing non-FreeNAS plugins. Obviously u can not install fail2ban into jail - we need to secure whole freeNAS. So it is necessary to make changes directly in the FreeNAS system. This is also the reason why setup over GUI will not work and we need to use command line instead. Please note this can cause some consequences when upgrade of FreNAS will be made in future.
1. Login as root on Freenas in command line ( use “su” command )
2. We have to mount system for write operations:
mount -uw /
3. Download fail2ban.pbi from this address: http://ftp.pcbsd.org/pub/pbioutgoing/amd64/9/security/py-fail2ban/ and put somewhere on your NAS
4. Install fail2ban using PBI command:
pbi_add /somwhere/py-fail2ban-0.8.10-amd64.pbi
if you miss PBI subsystem you need to install it first:
pkg install pcbsd-utils
if you did not download signature for file2ban use this:
pbi_add —no-checksig /somwhere/py-fail2ban-0.8.10-amd64.pbi
5. FreeNAS is rebuilding config files every reboot ( /etc /var ) so we need to change some files to make our changes permanent. Our destination directory is /conf/base — there we have to put our files to make changes permanent after reboot and also there we will configure fail2ban in next step. Now we will copy fail2ban daemon to rc.d ,whole fail2ban config files to /etc and make necessary directory into /var/run
cp /usr/pbi/py-fail2ban-amd64/etc/rc.d/fail2ban /conf/base/rc.d/
cp -R /usr/pbi/py-fail2ban-amd64/etc/fail2ban /conf/base/etc/fail2ban/
mkdir /conf/base/var/run/fail2ban
That’s it! - now we need to make minimal configuration of fail2ban to work properly and than start the service
B. Basic fail2ban configuration
1. We need to setup fail2ban to start properly working. If you want to add IP addresses to blacklist on ssh connection after failed password attempt then it is necessary to make some changes in fail2ban jail.conf file. Please do not make changes directly in this file and copy it into jail.local (this is because when you upgrade fail2ban changes will not touch your jail.local config file):
cp /conf/base/etc/fail2ban/jail.conf /conf/base/etc/fail2ban/jail.local
2. Edit file jail.local, find section with ssh-ipfw and make changes:
nano /conf/base/etc/fail2ban/jail.local
[ssh-ipfw]
enabled = true
filter = sshd
# write your FreeNAS IPaddress on next line
action = ipfw[localhost=[B]192.168.2.168[/B]]
# write your email address if you want to receive information about banned IP's
sendmail-whois[name="SSH,IPFW", dest=yourmail@domain.com] logpath = /var/log/auth.log ignoreip = 168.192.0.1
save changes with Ctrl-X (Y)
In this file is also possible setup how long will IP address banned/unbaned and how many tries is possible before ban (bantime, maxretry). Default is 3 possible password failures and 600 seconds = 10 minutes. For testing purposes leave it as it is.
3. We have to make possible fail2ban to start:
echo fail2ban_enable=“YES” >> /conf/base/etc/rc.conf
C. Starting fail2ban
1. reboot system or if you can not then repeat A.5 step - copy necessary files to /etc/rc.d and /etc/fail2ban/ an make fail2ban directory in /var/run/. (do not forget make changes or copy it in jail.local and remount file system read only)
reboot
2. start fail2ban
service fail2ban start
D. Test fail2ban working properly
Try to tree times connect over ssh with bad password:
ssh username:password@IPaddress
If fail2ban works properly you will be banned after three attempts.
Wait 10 minutes and you will be unbaned.
You can check in thees log files:
/var/log/auth.log
/var/log/fail2ban.log
cat /var/log/file2ban.log
REFERENCES:
How to install PBI on FreeNAs:
http://doc.freenas.org/index.php/Installing_a_PC-BSD_PBI
install fail2ban on 8.x FreeNAS
https://sites.google.com/site/aganimkarmiel/home/free-time/webserver/freenas-and-fail2ban
fail2ban description:
http://en.wikipedia.org/wiki/Fail2ban
fail2ban configuration:
http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Configuration
