plugin for fail2ban (log scan / IP ban) ?

djoole · Jul 15, 2012

Hi!

I wonder if someone is working on a fail2ban plugin for FreeNAS 8.2 ?

I know there is already a port (http://www.freshports.org/security/py-fail2ban/), so making the PBI should be OK, thanks to this doc :
http://doc.freenas.org/index.php/Plugins#Creating_your_own_FreeNAS.E2.84.A2_PBIs

If no one is on this i might try it, let me know!

Edit : I'm thinking of something... even if i get fail2ban to work inside the jail, will it be able to control Freenas firewall (ipfw) ?

William Grzybowski · Jul 15, 2012

FreeNAS does not even ship a firewall in the kernel. FreeNAS is a NAS not a firewall, do it in your router... Why would you expose your NAS to the world at all?

djoole · Jul 15, 2012

I think you misunderstood me.
So I'll explain myself.

I've opened a port on my router to be able to SSH on my NAS from outside.

The messages log of FreeNAS informs me that some funny guys try to SSH in with funny logins and funny passwords.

I would like FreeNAS (a lot of commercial NAS do that out of the box) to ban these IPs.

Fail2ban is the thing that can achieve it.

FreeNAS has a firewall, it is ipfw!

And fail2ban can change rules from ipfw to drop SSH request from any unwanted IP.

I hope i've made myself clearer :)

William Grzybowski · Jul 15, 2012

No, FreeNAS does not have a firewall.

djoole · Jul 15, 2012

Some lecture for you :
http://fr.wikipedia.org/wiki/Ipfirewall
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html
http://www.manpagez.com/man/8/ipfw/

ProtoSD · Jul 15, 2012

I'm sure William understands what you are asking, he is one of the developers.

What you are asking for requires that IPFW is compiled in the kernel, which it is not in FreeNAS. The jail does not allow installing kernel modules.

djoole · Jul 15, 2012

Thanks for caring to explain, protosd :)

As i saw the command ipfw was available on my freenas (although i don't have a clue how to use it!), the conclusion for me was easy : ipfw is in FreeNAS, so we can use it.

So if IPFW is only installed on FreeNAS but not compiled in the KERNEL, the jail don't have access to it, do i understand well?

Maybe fail2ban don't have to access to ipfw, but only to some config files to add some rules? I'll look into that once i'm finished with Logitech Media Server.

In the meantime, if someone found a way to ban bad IPs on FreeNAS, feel free to give me some hints!

ProtoSD · Jul 15, 2012

djoole said:
So if IPFW is only installed on FreeNAS but not compiled in the KERNEL, the jail don't have access to it, do i understand well?

IPFW requires a kernel module to be complete. I don't understand why the IPFW command is installed if the module is not unless it was a dependency for another package. I don't have the time to look at the source to see.

I also have seen some people trying to hack my system using ssh. I have a hardware firewall, but they still try to login repeatedly.

djoole · Jul 15, 2012

OK... well it's a pity anyway this feature (IP banning) is not implemented in FreeNAS

ProtoSD · Jul 15, 2012

Actually, I think I know how it is being used in FreeNAS. When you create a share for example, you can specify which hosts to ALLOW or DENY.... perhaps William is mistaken? ;) It is possible it is included, but I don't have time to look at the source to see if it has been compiled into the kernel.

djoole · Jul 15, 2012

I don't know how to look at the source :(

Well i'll try to see if ipfw works later. If i find something i'll let you know, you do the same ;)

paleoN · Jul 15, 2012

protosd said:
I also have seen some people trying to hack my system using ssh. I have a hardware firewall, but they still try to login repeatedly.

Have you tried changing the port ssh is listening on? You can never rely on changing it to a non-default port for security, but once it is secured having it listen on a different port is a nice bonus. It will avoid all the script-kiddies running their tools checking random port 22s.

djoole said:
I don't know how to look at the source :(

You can always web browse the SVN repo.

ProtoSD · Jul 15, 2012

paleoN said:
Have you tried changing the port ssh is listening on? You can never rely on changing it to a non-default port for security, but once it is secured having it listen on a different port is a nice bonus. It will avoid all the script-kiddies running their tools checking random port 22s..

Absolutely, I don't want to publish here, but I was surprised since its a high number. Someone from Spain really had an interest for awhile ;)

paleoN · Jul 15, 2012

That is a bit surprising. You would be surprised, well maybe not you, how many knowledgeable people run ssh on port 22 because that's the port it's "supposed" to run on or it's just what they have always done. To my mind it makes sense to move it if for no better reason than to reduce the noise you get.

protosd said:
Absolutely, I don't want to publish here, but I was surprised since its a high number. Someone from Spain really had an interest for awhile ;)

NOBODY expects the Spanish Inquisition!

Important Announcement for The TrueNAS Community.

plugin for fail2ban (log scan / IP ban) ?

djoole

Contributor

William Grzybowski

Wizard

djoole

Contributor

William Grzybowski

Wizard

djoole

Contributor

ProtoSD

MVP

djoole

Contributor

ProtoSD

MVP

djoole

Contributor

ProtoSD

MVP

djoole

Contributor

paleoN

Wizard

ProtoSD

MVP

paleoN

Wizard

Similar threads

Important Announcement for The TrueNAS Community.