Hello, is possible to add the fail2ban package to OpenWRT. I use on my server and it avoid a lot of SSH attacks.

Thanks and regards.

The fail2ban utility is implemented in python which is rather big for the typical OpenWrt device. You should look for an alternative C only solution.

Thanks for your reply, any other software similar to fail2ban?

Regards.

eah, but how about x86 users??! you can not ignore us like we not exists just because you don't like personally something. as i know python packages is available for x86, so what is problem to help on jlazkano's request?
prooflink

A much better approach is to not use port 22 externally. You'll see 99.99% of all brute force attacks go away.

Personally I don't really understand the whole ssh paranoia... ditching password authentication for public keys is probably more secure than fail2ban and the like. If someone really wants to crack your ssh he probably does distributed brute force which those block scripts are mostly useless against.

common guys... why so much flame here but no one word about can you do what or not.
ps: all the cases is different, don't try to understand whats we needs, just help us (or not), thank you.
pps: its so hard to make this package? i don't think so. i think you just get lazy

As you already noticed, there is python available. And as you also know, fail2ban is a python script, so why don't just grab it and copy it to your router?

i personally can. but question was different, i'll remind you:

if you personally can not help here, please stop this flame and go away. maybe someone else will want to help. thank you.

Actually everybody in here tried to help you. Now I'm not so inclined anymore.

tip to change port IS NOT help, thanks. request was to make PACKAGE.

anest,

If you would really like to contribute to package fail2ban for OpenWRT, then please read this build packages documentation.

no, i can't (and actually why i asking for help here). i just install from scratch. but will be nice if you, or anybody who can, will make package, for anyone (jlazkano in same bot) who want it. thanks.
ps: if you really can not assembled this package, please stop this pointless flame here. just pass by and do not troll, i hope you finally got my point, thanks.

Actually, I can do that; however, I don't see any good reasons/needs for it, let alone it makes no sense at all to waste the resources. Having Fail2Ban is like letting ladrones come inside your house at any time lurking around, watching your wife and/or daughters naked while taking a shower, etc. If I want to stop ladrones, I would have stopped them way before they step their foot passing through my outer gate. In this case, I would completely block intruders before they get a chance to get passed through my NAT/Firewall router. I also hope you finally got my point.

exactly. its what fail2ban doing that job - "completely block intruders before they get a chance to get passed through" your gate.
anyway, i just shockingly surprised how nasty some people here. i must repeat: if you personally don't want help us just go away! maybe someone will help. but you stop trolling please, respect if not us but community please. thank you.

@anest: what did you contribute to this community (you are referring to)? you wrote a "please make me a package"-post and now you are accusing other members that they are trolling around.  on the other hand arokh, mazilo and jow are developers or active members which contribute a lot to this project. So please stop it!

@jlazkano: I don't know fail2ban, but denyhosts and similar packages normally depends on standard-logfiles. openwrt lack this standard-logfiles because you could only store them on ramdisk, and the space is quite limited, and they won't survive a reboot.
Search for "ssh bruteforce" in this forum und you will find some iptables-rules which should prevent bruteforce-attacks (but there seems to be some issues with backfire). All other approaches need a big writeable diskspace, special syslogd configuration,... to adapt openwrt to the requirements of these packages. Or you have to change a lot to adapt the packages to work with openwrt. Both not really an option for the mainstream-openwrt-development, especially because the openwrt-devs don't see the need for this package. 

So your options are: 
1. use publickey-authentication only
2. change the ssh-port
3. try to get the iptables-rules working
and if this doesn't satisfy your needs
4. try to adapt fail2ban to work with openwrt yourself, are come up with some real good reasons why this package is important for the openwrt-project.

No and that's not how fail2ban works. Since fail2ban resides behind the firewall on your router, an intruder has to pass through the firewall on your router before fail2ban can recognize the intruder has failed to poke your system. If the intruder once gets passed through your firewall on your NAT/Firewall router and does nothing, fail2ban won't be able to detect the intruder. This is the same as letting a ladrones come into your bathroom while watching your wife and/or daughter(s) undress, getting naked, and taking a shower. If one is really serious and wants to fight against any intruders, don't let them pass through your 1st gate, let alone be inside your house or even bathroom. Why do you think your GMail, MSN/HotMail, Yahoo, and/or any e-mail accounts from any major (free) e-mail provider are inundated with spam/junk e-mails (even they provide filters to move them to junk folder) bogus e-mail addresses or even from bogus e-mail servers? The reason is simply they are not serious, but to promote spam e-mails. Can you imagine what Internet traffics will look like without spam e-mails?

Honestly, if any one who is considered being nasty here, it must be you. What a hypocrite you really are!

BTW, you are not only nastily telling readers who tried to help you here to go away, but also implied to accuse them acting as a troll. Such acts are what I call being a hubris. Until you have toned down and are being nice to everyone who tries to help you, you are going to go nowhere except just doing a merry-go-round begging everyone while insulting them.

Wow. Just wow

Well. Aside from the strange egos going on in this thread; there are some legit reasons for fail2ban:

If running services (aside from SSH) that require passing thru the firewall, such as SIP, it is nice to have fail2ban. With that said, as someone mentioned above - having python there and just installing the script is easy enough. Just my 2 cents.

I think it's a fairly reasonable request to have fail2ban packaged in OpenWRT.
I haven't had the opportunity to check how to install it and I'm not totally sure it's as easy as installing the python script (since it's based on some logfiles that aren't necessarily present in OpenWRT), but if someone has managed to do it, please do update the wiki, that's how a community lives and how knowledge get passed to others...
That said, someone mentionned logtrigger as an alternative, and there's even an OpenWRT sample configuration: https://forum.openwrt.org/viewtopic.php?id=27955

(Last edited by ouaibe on 13 Apr 2011, 13:31)