Fail2ban on OpenBSD 6.0

If you have ever had a server exposed to the Internet, you will often see attempts to login to ssh on port 22.

After improving my log monitoring, these login attempts annoyed me enough to take action. So I installed Fail2ban.

Fail2ban monitors logs and will add ip addresses to your firewall to block based on rules. Fail2ban is written in Python and available for several platforms and can monitor different logs (not just ssh).

I have setup Fail2ban to watch for 3 failed logins (one failed login will allow 3 password attempts) and then block that IP address for 1 day.

The following instructions are for:

OpenBSD 6.0
Fail2ban 0.9.5

The instructions also assume that you have an OpenBSD server running with ssh port 22 exposed to the Internet and use Packet Filter (PF) for your firewall.

Installing Fail2ban

Install Python, when asked for version, select 3.5:

Download fail2ban-0.9.1.tar.bz2, uncompress and install:

Next create a new rc file for Fail2ban. This will manage starting, stoping and checking for the status of Fail2ban. It is based on the rc.template, sabnzbd.rc and filebeat.rc.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/infrastructure/templates/rc.template
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/news/sabnzbd/pkg/sabnzbd.rc
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/sysutils/beats/filebeat/pkg/filebeat.rc?rev=1.1.1.1&content-type=text/plain

It is worth noting that the rc file is a little non-traditional, because Fail2ban has two components, a client and a server. Normally rc files will start a daemon, check to see if the process is active and kill that process to stop. The check logic could probably be improved, but it works.

Create the rc file and paste in the content:

Set permissions:

Edit /etc/rc.conf.local to add the Fail2ban rc file:

Configure Fail2ban

Need to configure fail2ban what an ssh login failure looks like. Please update 192.168.0.10 to your local server ip address.

A few comments here:
– Fail2ban is monitoring /var/log/authlog
– After an IP has 3 failed logins, the IP will be blocked
– The IP will be blocked for 1 day (86400 seconds)
– Exclude localhost IP

Create a new file ssh-pf.local:

Configure fail2ban what action to take when the ssh login fails.

Existing configuration fail2ban for pf.conf is unchanged:

Setup OpenBSD Packet Filter with a new table to store the banned ip addresses

NOTE: that table names are always enclosed in < > angled brackets

Edit /etc/pf.conf and add to end:

Manage Fail2ban

Use rc scripts to manage:

Manually manage:

Tail fail2ban log:

Print contents of table:

Start and load pf.conf:

Conclusion

That’s it! It can be satisfying to login and print out the content of the PF fail2ban table and see the blocked IP addresses. Also, fewer spikes in the log monitoring of failed logins.

Comments are closed.