Integrating PF with Fail2ban 0.9

2011-03-20 20:27:04 by chort

Many security practitioners are familiar with Fail2ban, an application that scans log files for various types of suspicious failures and bans the source IP after too many attempts. Most users implement it to protect their Linux systems (via Netfilter/iptables and TCP wrappers), but it also includes methods for Sendmail and IPFW (FreeBSD and OSX).

What is notably missing from the above list is the wildly popular PF (Packet Filter). It was originally designed by Daniel Hartmeier to replace IPF in OpenBSD, but has since been adopted by FreeBSD, NetBSD, and DragonflyBSD. PF is widely embraced due to the simplicity and clarity of the syntax, and the comprehensive array of professional-grade features available.

Ironically, PF is probably better known now due to FreeBSD than the originating project, OpenBSD. It's somewhat startling that no one has yet included PF support in Fail2ban. It's also disappointing that Apple hasn't switch from IPFW to PF as their packet filtering firewall (hint hint).

In the spirit of the Open Source "submit a patch or GTFO" mentality, here's how you can use Fail2ban to insert rules into your PF firewall.

Read the rest of this story...

Amazing Free Software and WWIPAS

2011-01-22 16:04:24 by chort

A few days ago I was using a free DNS monitoring utility called dnstop. I had found a few bugs while trying to build and run it on OpenBSD. I knew one of the authors was active on public mailing lists, so I e-mailed him to report the bugs. To my surprise and delight, he responded quickly and began investigating.

When he was unable to setup a test environment to mimic mine in a timely manner, he asked if he could login to one of my systems to verify the behavior. I gave him access to a virtual machine and a day later, after several e-mail exchanges, all my reported problems were fixed and a new version of the software was available for download. Since the software itself was free, but the maintainer had gone to considerable trouble to fix my bugs in a very responsive manner, I offered him the continuing use of the shell account as payment.

A few days later I was downloading an update to TinyUmbrella and noticed a "Donate" button on the website. I thought about how much potential hassle that utility saves me and decided to donate. It only took a minute to contribute a few dollars to the project through PayPal. These two experiences prompted me to muse on the amazing value that authors of free software deliver, and what proper compensation is. This lead me to create the "WWIPAS" rule. What on Earth is that? I'm so glad you asked, read on...

Read the rest of this story...