Fail2ban in opnsense

[Julien]

Hi guys,
I was wondering of this projet already exisit on the Opnsense or not.
https://www.fail2ban.org/wiki/index.php/Main_Page

I hope to have this in the near future.

Regards.
Julien

[Davesworld]

Aside from the question, are you now or are you planning to allow your firewall to be accessed from the internet to administer remotely? This is the only real case that comes to mind aside from port forwarding from behind your firewall. My email and sip servers have it since they do their own firewalling and are in the wild as it were and DO have open ports for the services they provide. All it does is temporarily ban ip addresses for ten minutes after multiple failed logins for services I do have along with a 64 character password but those are servers on the internet.

If you are NOT administering your firewall remotely, eg across the internet and you have no ports forwarded, it should be dropping all uncommanded incoming packets thus the offending ip addresses can't even see that you have a firewall at your ip much less if there are any pc's behind it. My logs show that most port scanners will try one to a few dozen ports and be on their way if they do not get a hit on any port they scanned.

Also keep in mind that intrusion detection is available although it is often the most misunderstood and misused tool there is in a firewall.  Anytime you reject uncommanded incoming packets rather than drop uncommended packets from an ip, you tell them, "Hey, yeah I'm here, this IP is a good one for you to pester."

[ruggerio]

What are you planning to protect with?

Fail2ban usually listens on the ports on the devices which holds the Services, not a Gateway.

Roger

[Julien]

@Davesworld
Well explained thank you so much,
We are using IDS however sometime we can't block the whole country. in this case we want to block those IP who are trying to access the mail server or other services behind the firewall which we have their Port NAT on the fierwall


@ruggerio  we are trying to protect the internal services ( mail server,.......) IDS is already activated on the WAN side.

[fabian]

@ruggerio  we are trying to protect the internal services ( mail server,.......) IDS is already activated on the WAN side.

You can use postfix together with rspamd and clamav if you want to do spam and malware filtering if you like…

[Julien]

@fabian thank you for your answer. we are using a spamfilter behind the Opnsense.We have the IDS on the WAN however we are using VIP , one of the VIP is the external IP of the SPamfilter.

INTERNET >>>>> OPNSENS>>>>>> LAN
INTERNET >>>>> OPNSENSE (WAN Virtual IP )>>>>> INTERNAL SPAM FILTER

IDS is activated on the WAN, Does it means it apply for the virtual WAN IP ?

[ruggerio]

@Davesworld
Well explained thank you so much,
We are using IDS however sometime we can't block the whole country. in this case we want to block those IP who are trying to access the mail server or other services behind the firewall which we have their Port NAT on the fierwall


@ruggerio  we are trying to protect the internal services ( mail server,.......) IDS is already activated on the WAN side.

@julien: i do the same on my homenetworks. But as fail2ban needs to search preferably in syslogs of the monitored server, it makes sense to run f2b on the same machine. f2b also sets firewallrules on that machine, which will not be that easy.  The goal of f2b ist closing ports for offending ip's/domains directy on the firewall of the machine running the services you wish to protect. I do not think, it is designed for remote and central maintenance.

[Julien]

we have configured fail2ban on the spam filter.
it seems to do the job now.
would love to see this feature in the future on the opnsense as well.