Vim & Vision
[ #215 ] fail2ban on NetBSD for ssh Permalink
Check out fail2ban - it's a great way of securing your system using firewall rules (to block offending IPs) when hack attempts like numerous failed ssh logins occur.
To set it up on NetBSD, install it from source - it's Python so you can just:
$ sudo python setup.py install
Then add an rc script:
#!/bin/sh
#
# PROVIDE: fail2ban
# REQUIRE: NETWORKING syslogd
. /etc/rc.subr
name="fail2ban"
rcvar=$name
command="/usr/pkg/bin/fail2ban-client"
pidfile="/var/run/${name}/${name}.pid"
extra_commands="reload"
fail2ban_start()
{
if [ -n "${the_fail2ban_pid}" ]; then
echo "${command} already running as pid ${the_fail2ban_pid}."
return 1
fi
echo "Starting ${name}"
${command} start
}
fail2ban_stop()
{
if [ -z "${the_fail2ban_pid}" ]; then
echo "${command} not running? (check ${pidfile})."
return 1
fi
echo "Stopping ${name}"
${command} stop
}
fail2ban_status()
{
if [ -z "${the_fail2ban_pid}" ]; then
echo "${command} is not running? (check ${pidfile})."
else
echo "${command} is running as pid ${the_fail2ban_pid}."
fi
}
fail2ban_reload()
{
if [ -z "${the_fail2ban_pid}" ]; then
echo "${command} not running? (check ${pidfile})."
return 1
fi
echo "Reloading fail2ban"
${command} reload
}
start_cmd="fail2ban_start"
stop_cmd="fail2ban_stop"
status_cmd="fail2ban_status"
reload_cmd="fail2ban_reload"
the_fail2ban_pid=`check_pidfile ${pidfile} /usr/pkg/bin/python`
load_rc_config $name
run_rc_command "$1"
(don't forget to add fail2ban=YES to your /etc/rc.conf)
And setup your jail.conf with a section like this:
[ssh-ipfilter]
enabled = true
filter = sshd
action = sendmail-whois[name=SSH, dest=youremail@email.com, sender=fail2ban@yourbox]
ipfilter[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/authlog
maxretry = 5
(Read the fail2ban docs or the message after installation to determine where your jail.conf and other conf files are. Mine are in /etc/fail2ban/)
Then start it up like this:
$ sudo /etc/rc.d/fail2ban start
Check out all the other actions and filters too... fail2ban is not just for blocking failed ssh authentications!
I get an email whenever fail2ban is started or stopped - and also whenever it blocks a possible attacking IP. It works great!
Colophon
Django Python 960.gs Git Vim NetBSD Nginx
The Author
This is the blog of Brad Willis, a software engineer living in Brisbane.
Meta
Help
Latest entries 
*BSD Agile Apache Apple apt Athletics Best-Practice Censorship Chrome Comedy Cool Crosswords Deployment Django English Exim Firefox Git Hardcore Health irssi Javascript Jira Languages Linux Makefile Mathematics Mobile Broadband Mutt MySQL NetBSD nginx Nokia OpenVZ OSX Perl Postfix Privacy Python Rant Requirements rsync Ruby Shell Slackware SQL SQLite SSH Standards Subversion Television Testing ThisBlog Vim VMWare (Fusion) VPN X zsh
Recent Entries
gvim - Always open new files as new tabs
crontab - escape % (percentage)
OSX Google Chrome - start in incognito mode
SQLite date arithmetic
Postfix - delete message in mailq
Checking for exceptions in doctests
Homer's Curling Speech
retry in Python
Vim Makefile tabs
Centos (or RH) IPTables
Converting ssh2 public keys to openssh
Vim comment hints
Context managers in Perl
Dish rotation
Git - fixing commit user
apt stuff
Using shell variables in AWK
Linux - Too many open files
Tell gvim to save and quit... remotely
Vim - automatically remove whitespace at EOL
Python - relative paths from within modules
TV Aspect Ratios
Git - Which commits are in your branch only?
Subversion setup cheat sheet
Force detach a screen session
Modify sudo's use of environment variables
Install all Perl modules
Mutt - delete old messages
OpenVZ VPS and swap space
fail2ban on NetBSD for ssh
NetBSD - Using sup
Python - testing for a sys.exit
Python Best Practice Link Dump
Python script names
Perl - Using an expensive module
Speed of git clone
Perl Modules with Custom Prefix
Perl: tr vs. s
Brilliant sysadmin Reference
Why is GRUB better than LILO?