New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail2ban on FreeBSD drops complete pf firewall rules #1915

Closed
mfechner opened this Issue Oct 14, 2017 · 29 comments

Comments

Projects
None yet
8 participants
@mfechner

mfechner commented Oct 14, 2017

Environment:

  • Fail2Ban version (including any possible distribution suffixes): 0.10.0
  • OS, including release name/version: 10.3-RELEASE-p20 FreeBSD 10.3-RELEASE-p20 #0: Wed Jul 12 03:13:07 UTC 2017
  • Fail2Ban installed via OS/distribution mechanisms
  • You have not applied any additional foreign patches to the codebase
  • Some customizations were done to the configuration (provide details below is so)

The issue:

Starting fail2ban with service fail2ban start causes a lose of the complete firewall which makes the host not work anymore.
How could fail2ban be configured to not touch the firewall rules at all?

Steps to reproduce

Type:
service fail2ban start

Expected behavior

It should not touch the firewall at all, but should only add/remove ips to the table defined (fail2ban).

Observed behavior

It drops all firewall Filter and Translation rules.

Any additional information

Configuration, dump and another helpful excerpts

Any customizations done to /etc/fail2ban/ configuration

jail.local:
[DEFAULT]
banaction = pf
ignoreip = localhost <local-ipv4-ip> <local-ipv6-ip> <--- I removed the real IPs here
bantime  = 21600
findtime  = 259200

maxretry = 3

[ssh]
enabled = true
filter = bsd-sshd
logpath = /var/log/auth.log

[courier]
enabled = false
filter = courier-auth
logpath = /var/log/maillog

[pure-ftpd]
enabled = true
filter = pure-ftpd

[postfix]
enabled = true
filter = postfix

[dovecot]
enabled = true
filter = custom-dovecot

[sieve]
enabled = true

[owncloud]
enabled = false
filter = owncloud
port = https
logpath = /zstorage/owncloud/owncloud.log

Relevant parts of /var/log/fail2ban.log file:

preferably obtained while running fail2ban with loglevel = 4

2017-10-14 10:07:09,253 fail2ban.server         [69019]: INFO    Exiting Fail2ban
2017-10-14 10:07:09,841 fail2ban.server         [78850]: INFO    --------------------------------------------------
2017-10-14 10:07:09,842 fail2ban.server         [78850]: INFO    Starting Fail2ban v0.10.0
2017-10-14 10:07:09,842 fail2ban.server         [78850]: INFO    Daemon started
2017-10-14 10:07:10,040 fail2ban.database       [78850]: INFO    Connected to fail2ban persistent database '/var/db/fail2ban/fail2ban.sqlite3'
...
2017-10-14 10:07:10,278 fail2ban.jail           [78850]: INFO    Jail 'ssh' started
2017-10-14 10:07:10,295 fail2ban.utils          [78850]: Level 39 801b75cf0 -- exec: echo "table <f2b-pure-ftpd> persist counters" | pfctl -f-
echo "block proto tcp from <f2b-pure-ftpd> to any port ftp,ftp-data,ftps,ftps-data" | pfctl -f-
2017-10-14 10:07:10,296 fail2ban.utils          [78850]: ERROR   801b75cf0 -- stderr: 'stdin:1: syntax error'
2017-10-14 10:07:10,296 fail2ban.utils          [78850]: ERROR   801b75cf0 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded'
2017-10-14 10:07:10,296 fail2ban.utils          [78850]: ERROR   801b75cf0 -- returned 1
2017-10-14 10:07:10,297 fail2ban.actions        [78850]: ERROR   Failed to start jail 'pure-ftpd' action 'pf': Error starting action Jail('pure-ftpd')/pf
2017-10-14 10:07:10,321 fail2ban.utils          [78850]: Level 39 80577c5e0 -- exec: echo "table <f2b-dovecot> persist counters" | pfctl -f-
echo "block proto tcp from <f2b-dovecot> to any port pop3,pop3s,imap,imaps,submission,465,sieve" | pfctl -f-
2017-10-14 10:07:10,321 fail2ban.utils          [78850]: ERROR   80577c5e0 -- stderr: 'stdin:1: syntax error'
2017-10-14 10:07:10,322 fail2ban.utils          [78850]: ERROR   80577c5e0 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded'
2017-10-14 10:07:10,322 fail2ban.utils          [78850]: ERROR   80577c5e0 -- returned 1
2017-10-14 10:07:10,323 fail2ban.actions        [78850]: ERROR   Failed to start jail 'dovecot' action 'pf': Error starting action Jail('dovecot')/pf
2017-10-14 10:07:10,346 fail2ban.utils          [78850]: Level 39 806582030 -- exec: echo "table <f2b-sieve> persist counters" | pfctl -f-
echo "block proto tcp from <f2b-sieve> to any port smtp,465,submission" | pfctl -f-
2017-10-14 10:07:10,347 fail2ban.utils          [78850]: ERROR   806582030 -- stderr: 'stdin:1: syntax error'
2017-10-14 10:07:10,347 fail2ban.utils          [78850]: ERROR   806582030 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded'
2017-10-14 10:07:10,347 fail2ban.utils          [78850]: ERROR   806582030 -- returned 1
2017-10-14 10:07:10,348 fail2ban.actions        [78850]: ERROR   Failed to start jail 'sieve' action 'pf': Error starting action Jail('sieve')/pf
2017-10-14 10:07:10,374 fail2ban.actions        [78850]: NOTICE  [ssh] Restore Ban 103.28.121.86
2017-10-14 10:07:10,413 fail2ban.actions        [78850]: NOTICE  [ssh] Restore Ban 179.99.236.29
2017-10-14 10:07:10,452 fail2ban.actions        [78850]: NOTICE  [ssh] Restore Ban 182.18.153.206

Relevant lines from monitored log files in question:

@chtheis

This comment has been minimized.

Contributor

chtheis commented Oct 14, 2017

@sebres

This comment has been minimized.

Member

sebres commented Oct 15, 2017

Do the PR #1919 resolve this issue?
@koeppea, @distler, @chtheis any objections?

@distler

This comment has been minimized.

Contributor

distler commented Oct 15, 2017

Do the PR #1919 resolve this issue?

anchor f2b {
anchor sshd
}

is correct.

@koeppea

This comment has been minimized.

Contributor

koeppea commented Oct 16, 2017

I'd like to reproduce and test but have a BSD system at have from Wednesday on until then I about m cannot state.

@exking

This comment has been minimized.

exking commented Oct 16, 2017

BTW, I've noticed that on my system fail2ban does not add the rules correctly - {} are missing around the list of ports:

2017-10-16 07:18:27,990 fail2ban.utils [18869]: Level 39 80200c780 -- exec: echo "table <f2b-exim> persist counters" | pfctl -a f2b/exim -f- echo "block quick proto tcp from <f2b-exim> to any port smtp,465,submission" | pfctl -a f2b/exim -f- 2017-10-16 07:18:27,991 fail2ban.utils [18869]: ERROR 80200c780 -- stderr: 'stdin:1: syntax error' 2017-10-16 07:18:27,991 fail2ban.utils [18869]: ERROR 80200c780 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded' 2017-10-16 07:18:27,991 fail2ban.utils [18869]: ERROR 80200c780 -- returned 1

To fix that - I had to manually change the multipart action like this (added {})
multiport = any port {<port>}

Attempt to pass a correct port parameter in the jail.local did not result in success
[exim] enabled = true banaction = pf[port={smtp,465,submission}, name=exim]

@sebres

This comment has been minimized.

Member

sebres commented Oct 16, 2017

I've noticed that on my system fail2ban does not add the rules correctly...

Which system?

If I understood your post correctly:

- multiport = any port <port>
+ multiport = any port {<port>}

Although this would be backwards-incompatible change (for the people enclosing multiports in braces in jail.local), I think it would be necessary to do this fix to be compatible to other actions (to supply port similar other actions without braces).
At least corresponding grammar on pf.conf(5) - freebsd.org it looks really correctly for multiport:
port = "port" ( unary-op | binary-op | "{" op-list "}" ). But also for proto-list, etc.

The interim question I've - why the submitter of the pf action (and modifications) do not make it from the begin? How it works for them all the time? Single port only?

Attempt to pass a correct port parameter in the jail.local did not result in success

I think this could work (just enclose in quotes):

[exim]
enabled = true
banaction = pf[port="{%(port)s}", name=%(__name__)s]

But as already said above - I'll prefer to rewrite it with braces per default.

@exking

This comment has been minimized.

exking commented Oct 16, 2017

Oh, I'm sorry, forgot the OS: FreeBSD 11.1-STABLE
If I remember correctly - before fail2ban 0.10.0 - pf action did a blanket ban by IP regardless of the port number, starting with 0.10.0 - pf action changed to ban by the individual port and 0.10.1 improved this by adding "anchors" to separate rules added by fail2ban from the main pf ruleset.

I've tried to use your proposed syntax in jail.local
banaction = pf[port="{%(port)s}", name=%(__name__)s])
and unfortunately it did not help:

 2017-10-16 08:40:42,117 fail2ban.utils          [20965]: Level 39 80200c780 -- exec: echo "table <f2b-exim> persist counters" | pfctl -a f2b/exim -f-
 echo "block quick proto tcp from <f2b-exim> to any port smtp,465,submission" | pfctl -a f2b/exim -f-
 2017-10-16 08:40:42,118 fail2ban.utils          [20965]: ERROR   80200c780 -- stderr: 'stdin:1: syntax error'
 2017-10-16 08:40:42,118 fail2ban.utils          [20965]: ERROR   80200c780 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded'
 2017-10-16 08:40:42,118 fail2ban.utils          [20965]: ERROR   80200c780 -- returned 1

I still need this change in order for it to work
multiport = any port {<port>}

Thanks a lot for looking at this!

@chtheis

This comment has been minimized.

Contributor

chtheis commented Oct 16, 2017

@exking

This comment has been minimized.

exking commented Oct 16, 2017

Cristoph, yeah, it seems like table name got dropped by the GitHub (sorry, I'm not used to the syntax here yet)..

There is the correct error:
2017-10-16 08:42:44,911 fail2ban.utils [20965]: Level 39 80200c780 -- exec: echo "table <f2b-exim> persist counters" | pfctl -a f2b/exim -f- echo "block quick proto tcp from <f2b-exim> to any port smtp,465,submission" | pfctl -a f2b/exim -f-

@sebres

This comment has been minimized.

Member

sebres commented Oct 16, 2017

I've tried to use your proposed syntax in jail.local

Hmm... I don't see braces... Can you please provide an output of:

fail2ban-client -d | grep exim

# or relevant part of:
fail2ban-client -d --dump-pretty

P.S. to avoid github reformatting enclose it in triple ` (use \n```\n...excerpt...\n```\n), see code fencing

@exking

This comment has been minimized.

exking commented Oct 16, 2017

Sure, there is the fail2ban-client --dp | grep exim:

['add', 'exim', 'auto']
  'exim',
['set', 'exim', 'usedns', 'warn']
['set', 'exim', 'addlogpath', '/var/log/exim/mainlog', 'head']
['set', 'exim', 'maxretry', 3]
['set', 'exim', 'logencoding', 'auto']
['set', 'exim', 'bantime', '86400']
['set', 'exim', 'ignorecommand', '']
['set', 'exim', 'findtime', '3600']
['set', 'exim', 'addaction', 'pf']
['multi-set', 'exim', 'action', 'pf', [['actionunban', 'pfctl -a f2b/exim -t f2b-exim -T delete <ip>'], ['actionstart_on_demand', False], ['actionstop', 'pfctl -a f2b/exim -sr 2>/dev/null | grep -v f2b-exim | pfctl -a f2b/exim -f-\npfctl -a f2b/exim -t f2b-exim -T flush\npfctl -a f2b/exim -t f2b-exim -T kill'], ['actionstart', 'echo "table <f2b-exim> persist counters" | pfctl -a f2b/exim -f-\necho "block quick proto tcp from <f2b-exim> to any port smtp,465,submission" | pfctl -a f2b/exim -f-'], ['actionban', 'pfctl -a f2b/exim -t f2b-exim -T add <ip>'], ['actioncheck', 'pfctl -a f2b/exim -sr | grep -q f2b-exim'], ['protocol', 'tcp'], ['name', 'exim'], ['chain', 'INPUT'], ['multiport', 'any port <port>'], ['tablename', 'f2b'], ['actiontype', '<multiport>'], ['allports', 'any'], ['actname', 'pf'], ['port', 'smtp,465,submission'], ['block', 'block quick'], ['bantime', '86400']]]
['start', 'exim']

jail.local for exim

[exim]
enabled = true
banaction = pf[port="{%(port)s}", name=%(__name__)s]
@sebres

This comment has been minimized.

Member

sebres commented Oct 16, 2017

I've got it: the parameter banaction will be interpolated as
action_ = %(banaction)s[..., port="%(port)s", ...] in jail.conf.
Thus your parameter port supplied to banaction will be overwritten with original interpolation after substitution of action.

Here helps only:

[exim]
port = {%(known/port)s}
@exking

This comment has been minimized.

exking commented Oct 16, 2017

Hmm... I've added that line to both [exim] and [dovecot] (I only have 2 services that have multiple ports) and getting all dovecot ports banned for exim for some odd reason.

@distler

This comment has been minimized.

Contributor

distler commented Oct 16, 2017

Thus your parameter port supplied to banaction will be overwritten with original interpolation...

Indeed. That's why I could never get banactionto work as desired.

This works for me

action = pf[port={22 23}, name=ssh]
@mfechner

This comment has been minimized.

mfechner commented Oct 16, 2017

I use now the following configuration:

[DEFAULT]
banaction = pf[actiontype=<allports>]
bantime  = 21600
findtime  = 259200
maxretry = 3

[sshd]
enabled = true
filter = bsd-sshd
logpath = /var/log/auth.log

... some more jails ...

The version 0.10.1 fixed the problem that it removes all existing rules.
Fail2ban has nicely inserted the rules:

pfctl -a 'f2b*' -sr

anchor "sshd" all {
  block drop quick proto tcp from <f2b-sshd> to any
}
anchor "asterisk" all {
}
anchor "dovecot" all {
  block drop quick proto tcp from <f2b-dovecot> to any
}
anchor "apache-auth" all {
  block drop quick proto tcp from <f2b-apache-auth> to any
}
anchor "apache-badbots" all {
  block drop quick proto tcp from <f2b-apache-badbots> to any
}
anchor "apache-botsearch" all {
  block drop quick proto tcp from <f2b-apache-botsearch> to any
}
anchor "apache-noscript" all {
  block drop quick proto tcp from <f2b-apache-noscript> to any
}
anchor "apache-overflows" all {
  block drop quick proto tcp from <f2b-apache-overflows> to any
}
anchor "postfix" all {
  block drop quick proto tcp from <f2b-postfix> to any
}

But it seems that fail2ban does not create the required tables:
pfctl -s Tables

fail2ban
int
vpn

Do I have to create these tables manually or should fail2ban do it, as adding the rules?

@exking

This comment has been minimized.

exking commented Oct 16, 2017

you have to specify anchor to look at the tables

sebres added a commit to sebres/fail2ban that referenced this issue Oct 17, 2017

pf.conf: enclose ports in braces, multiple ports expecting this synta…
…x `... any port {http, https}`.

Note this would be backwards-incompatible change (for the people already enclosing multiports in braces in jail.local).
closes fail2bangh-1915

@sebres sebres closed this Oct 17, 2017

@mfechner

This comment has been minimized.

mfechner commented Oct 17, 2017

This does not help, the tables are not created by fail2ban it seems:

pfctl -a "*" -s Table
fail2ban
int
vpn

But I would expect at least f2b-sshd. The table fail2ban is an old table that is part of the firewall, but fail2ban should not use it with the new version anymore.

@exking

This comment has been minimized.

exking commented Oct 17, 2017

works fine for me:

$ pfctl -a f2b/exim -s Tables
f2b-exim
@mfechner

This comment has been minimized.

mfechner commented Oct 17, 2017

Have you defined an anchor for the tables in pf.conf?

@exking

This comment has been minimized.

exking commented Oct 17, 2017

Yes sir, I have

anchor "f2b/*"

defined in /etc/pf.conf at the place where I like fail2ban to keep it's rules and tables

@mfechner

This comment has been minimized.

mfechner commented Oct 17, 2017

Hm, it seems that wildcard is not working here:

pfctl -a "f2b/*" -t f2b-sshd -Ts
pfctl: Table does not exist.

but:

pfctl -a "f2b/sshd" -s Tables
f2b-sshd

Shows it.

And:

pfctl -a "f2b/sshd" -t f2b-sshd -Ts
   46.148.20.25
   187.66.117.141
   213.136.87.77
   218.64.4.201
   222.222.30.46

So new version is working as expected. Thanks for the fix.

@RickD123

This comment has been minimized.

RickD123 commented May 13, 2018

For me, fail2ban is creating these tables on FreeBSD (with pf), however the pf rules do not seem to block the remote host. Here are some examples:

[root@bla ~]# pfctl -a "f2b/sshd" -s Tables
f2b-sshd
[root@bla ~]# pfctl -a "f2b/postfix-sasl" -t f2b-postfix-sasl -Ts
   5.101.40.66
   93.175.29.178
   114.103.45.224
   114.103.47.101
   114.103.64.135
   181.214.206.20
[root@bla ~]# ping 5.101.40.66
PING 5.101.40.66 (5.101.40.66): 56 data bytes
64 bytes from 5.101.40.66: icmp_seq=0 ttl=58 time=12.867 ms
64 bytes from 5.101.40.66: icmp_seq=1 ttl=58 time=12.888 ms
^C
--- 5.101.40.66 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.867/12.878/12.888/0.010 ms
[root@bla ~]# pfctl -a "f2b/sshd" -t f2b-sshd -Ts
   37.187.114.79
[root@bla ~]# ping 37.187.114.79
PING 37.187.114.79 (37.187.114.79): 56 data bytes
64 bytes from 37.187.114.79: icmp_seq=0 ttl=55 time=13.701 ms
^C
--- 37.187.114.79 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.701/13.701/13.701/0.000 ms

Here is an excerpt from pf.conf:

# fail2ban
anchor "f2b/*"

anchor "sshd" all {
  block drop quick proto tcp from <f2b-sshd> to any
}

anchor "dovecot" all {
  block drop quick proto tcp from <f2b-dovecot> to any
}

anchor "postfix" all {
  block drop quick proto tcp from <f2b-postfix> to any
}

Any ideas why the pf rules are not blocking these remote hosts?

@exking

This comment has been minimized.

exking commented May 13, 2018

Why do you think that ping will be blocked?

@mfechner

This comment has been minimized.

mfechner commented May 13, 2018

@RickD123

This comment has been minimized.

RickD123 commented May 14, 2018

You are right of course - I overlooked that, sorry. However the pf rules do not seem to be triggered, i.e. despite the fact that fail2ban detects some IPs, they still are not blocked as the log file indicates:


# tail -f /var/log/fail2ban.log 
2018-05-14 21:37:00,998 fail2ban.actions        [83387]: NOTICE  [postfix-sasl] Restore Ban 91.121.72.26
2018-05-14 21:37:23,331 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 185.234.218.130 - 2018-05-14 21:37:23
2018-05-14 21:38:12,329 fail2ban.filter         [83387]: INFO    [sshd] Found 139.99.119.2 - 2018-05-14 21:38:11
2018-05-14 21:38:20,586 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 5.101.40.66 - 2018-05-14 21:38:20
2018-05-14 21:38:54,526 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 185.234.218.157 - 2018-05-14 21:38:54
2018-05-14 21:39:08,018 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 181.214.206.20 - 2018-05-14 21:39:07
2018-05-14 21:41:43,506 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 185.234.216.192 - 2018-05-14 21:41:43
2018-05-14 21:42:05,537 fail2ban.filter         [83387]: INFO    [sshd] Found 78.228.72.13 - 2018-05-14 21:42:04
2018-05-14 21:42:56,594 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 181.214.206.20 - 2018-05-14 21:42:56
2018-05-14 21:43:46,751 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 5.101.40.66 - 2018-05-14 21:43:46

(...)

2018-05-14 21:44:23,259 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 103.207.38.156 - 2018-05-14 21:44:23
2018-05-14 21:45:59,365 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 185.234.216.139 - 2018-05-14 21:45:59
2018-05-14 21:46:46,637 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 181.214.206.20 - 2018-05-14 21:46:46
2018-05-14 21:46:46,876 fail2ban.actions        [83387]: WARNING [postfix-sasl] 181.214.206.20 already banned
2018-05-14 21:47:12,054 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 185.234.218.130 - 2018-05-14 21:47:12

(...)

2018-05-14 21:47:25,678 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 164.39.218.210 - 2018-05-14 21:47:25
2018-05-14 21:49:11,838 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 5.101.40.66 - 2018-05-14 21:49:11
2018-05-14 21:49:12,467 fail2ban.actions        [83387]: WARNING [postfix-sasl] 5.101.40.66 already banned

(...)

2018-05-14 21:54:37,459 fail2ban.filter         [83387]: INFO    [postfix-sasl] Found 5.101.40.66 - 2018-05-14 21:54:37


Any ideas why these IPs are not being blocked? I mean it is sort of strange to get messages like "XYZ already blocked", or?

Here is my pf.conf (excerpt) and fail2ban.conf:


# fail2ban
anchor "f2b/*"

anchor "sshd" all {
  block drop quick proto udp from <f2b-sshd> to any
  block drop quick proto tcp from <f2b-sshd> to any
  block drop quick proto icmp from <f2b-sshd> to any
}

anchor "dovecot" all {
  block drop quick proto tcp from <f2b-dovecot> to any
 block drop quick proto udp from <f2b-dovecot> to any
 block drop quick proto icmp from <f2b-dovecot> to any
}

anchor "postfix" all {
  block drop quick proto tcp from <f2b-postfix> to any
  block drop quick proto udp from <f2b-postfix> to any
  block drop quick proto icmp from <f2b-postfix> to any

}

Likewise, here is my jail.local:


[DEFAULT]
banaction = pf[actiontype=<allports>]
bantime  = 21600
findtime  = 259200
maxretry = 3

[sshd]
enabled = true
filter = bsd-sshd
logpath = /var/log/auth.log

[postfix-sasl]
enabled  = true
port     = smtp,465,submission,imap,imaps,pop3,pop3s
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

Thanks!

@exking

This comment has been minimized.

exking commented May 14, 2018

anchor "f2b/*"

is the only thing you need in /etc/pf.conf

fail2ban will add rules to the anchors which you can check like
pfctl -a f2b/sshd -sr

@RickD123

This comment has been minimized.

RickD123 commented May 14, 2018

Okay, seems to work now. Of course, the "anchor" has to be placed quite at the top of the pf.conf to ensure no other rule conflicts and unblocks the attacker's ip again.

@churchers

This comment has been minimized.

churchers commented Jul 19, 2018

Just upgraded my system to 0.10.3.1 and noticed I've had the same problem and my jails have not been running, and still don't with the current version -

2018-07-19 09:39:56,135 fail2ban.utils          [40817]: Level 39 8018c69b0 -- exec: echo "table <f2b-bsd-sshd> persist counters" | pfctl -a f2b/bsd-sshd -f-
port="<port>"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi
echo "block quick proto tcp from <f2b-bsd-sshd> to any port $port" | pfctl -a f2b/bsd-sshd -f-
2018-07-19 09:39:56,136 fail2ban.utils          [40817]: ERROR   8018c69b0 -- stderr: 'stdin:1: syntax error'
2018-07-19 09:39:56,136 fail2ban.utils          [40817]: ERROR   8018c69b0 -- stderr: 'pfctl: Syntax error in config file: pf rules not loaded'

This is my jail.d conf file

[bsd-sshd]
enabled = true
filter = bsd-sshd
action = pf
logpath = /var/log/auth.log
findtime = 600
maxretry = 5
bantime = 3600

What do I need to do to get my ssh & ftp jails to load correctly?

@sebres

This comment has been minimized.

Member

sebres commented Jul 19, 2018

action.d/pf.conf describes pretty good which parameters are expected.

If you use own jails, you should specify all expected parameters. In this case I assume it miss the port:

[bsd-sshd]
port = 22

or the port is not supplied to the action of this jail:

[DEFAULT]
banaction = pf[actiontype=<allports>]

[bsd-sshd]
banaction = pf[actiontype=<multiport>]

or you would use allports variant.

Note I've changed above the banaction parameter, which used in the default interpolations of jail.conf:

action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
and
action = %(action_)s

So if you overwrite action somewhere, you should supply self all the expected parameters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment