Merge branch 'master' of git://github.com/fail2ban/fail2ban

* 'master' of git://github.com/fail2ban/fail2ban: BF: missed MANIFEST include DOC: credits for bsd-ipfw ENH: add ipfw rule for bsd using the tables.
2013-05-08 10:32:18 -04:00 · 2013-05-08 10:32:18 -04:00 · 2b1e19933f
parent 571cadd80c 5accc10a47
commit 2b1e19933f
4 changed files with 99 additions and 0 deletions
--- a/3
+++ b/3
@ -75,6 +75,9 @@ fail2ban-users mailing list and IRC.
   * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
  Daniel Black
   * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
+  Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
+   * [b6d0e8a] Add and enhance the bsd-ipfw action from
+     FreeBSD ports.
  Soulard Morgan
   * [f336d9f] Add filter for webmin. Closes gh-99.
  Steven Hiscocks
--- a/1
+++ b/1
@ -100,6 +100,7 @@ config/filter.d/dropbear.conf
 config/filter.d/lighttpd-auth.conf
 config/filter.d/recidive.conf
 config/filter.d/roundcube-auth.conf
+config/action.d/bsd-ipfw.conf
 config/action.d/dummy.conf
 config/action.d/iptables-blocktype.conf
 config/action.d/iptables-ipset-proto4.conf
--- a/config/action.d/bsd-ipfw.conf
+++ b/config/action.d/bsd-ipfw.conf
@ -0,0 +1,82 @@
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Ken Menzel
+#              Daniel Black (start/stop)
+#              Fabian Wenk (many ideas as per fail2ban users list)
+#
+# Ensure firewall_enable="YES" in the top of /etc/rc.conf
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num deny <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =  [ -f <startstatefile> ] && ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+# requires an ipfw rule like "deny ip from table(1) to me"
+actionban = ipfw table <table> add <ip>
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipfw table <table> delete <ip>
+
+[Init]
+# Option:  table
+# Notes:   The ipfw table to use. If a ipfw rule using this table already exists,
+#          this action will not create a ipfw rule to block it and the following
+#          options will have no effect.
+# Values:  NUM
+table = 1
+
+# Option:  port
+# Notes.:  Specifies port to monitor. Blank indicate block all ports.
+# Values:  [ NUM | STRING ]
+#
+port = 
+
+# Option:  startstatefile
+# Notes:   A file to indicate that the table rule that was added. Ensure it is unique per table.
+# Values:  STRING
+startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
+
+# Option:  action
+# Notes:   This is the action to take for automaticly created rules. See the 
+#          ACTION defination at the top of man ipfw for allowed values.
+#          "deny" and "unreach port" are probably the useful.
+# Values:  STRING
+action = deny
+
+# Option: block
+# Notes:  This is how much to block.
+#         Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = ip
--- a/config/jail.conf
+++ b/config/jail.conf
@ -139,6 +139,19 @@ action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
 logpath  = /var/log/sshd.log
 maxretry = 5

+# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
+# table number must be unique.
+# 
+# This will create a deny rule for that table ONLY if a rule 
+# for the table doesn't ready exist.
+#
+[ssh-bsd-ipfw]
+enabled  = false
+filter   = sshd
+action   = bsd-ipfw[port=ssh,table=1]
+logpath  = /var/log/auth.log
+maxretry = 5
+
 # This jail demonstrates the use of wildcards in "logpath".
 # Moreover, it is possible to give other files on a new line.