Fail2ban is a nifty security tool that can monitor log files (ssh apache squid…etc) and execute commands, such as adding an IPtables rule, blocking the offending IP address.

On Debian/Ubuntu, fail2ban is available in repositories and once installed, it will default start protecting ssh attempts. Such a great safety mesure for so little work required (just install it!).

This post however, is to discuss the installation of fail2ban on a server running OpenBSD (in this case, 5.1) and setting it up to protect SSH from bad login attempts.

Note: This is not a post on how to use PF on an OpenBSD server 😉

– Install python [pkg_add python-2.7.1p12.tgz]
– Get copy of fail2ban master branch https://github.com/fail2ban/fail2ban
– Install fail2ban by running: python2.7 setup.py install
– Once installed, configs are in /etc/fail2ban
– find jail.conf and add a new “jail” section as follows:


[ssh-pf]
enabled = true
filter = sshd
action = pf
logpath = /var/log/authlog
ignoreip = "a whiltelisted IP"

– Next, go to /etc/fail2ban/action.d
– Create a new action config named ‘pf.conf’
– Add the following to it:


[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /sbin/pfctl -t Banned -T add < ip > && /sbin/pfctl -k < ip >
actionunban = /sbin/pfctl -t Banned -T delete < ip >
[Init]

– Now we need to set up /etc/pf.conf with some block rules.
– Assuming you already know how to use PF, we will need a table and a block rule for the table:


# Fail2Ban dynamic table
table < Banned > persist

# Fail2Ban blocks
block log quick from { < Banned > } to any

– To start/stop fail2ban on OpenBSD

# fail2ban-client start
# fail2ban-client stop

– To look at the PF table for IPs

pfctl -t 'tableName' -T show

– To clear contents of the table

pfctl -t 'tableName' -T flush