!!!! Из-за неправильного отображения данных конфигов в WordPress выложил их здесь.
Устанавливаем fail2ban
deathstar# cd /usr/ports/secuity/py-fail2ban && make install clean
Правим конфиг
deathstar# ee /usr/local/etc/fail2ban/jail.conf
У меня он выглядит так
[DEFAULT]
# Какие IP игнорировать
ignoreip = 127.0.0.1
# Время бана в секундах
bantime = 600
# время проверки,за которое событие успеет повторится, чтоб отловить и забанить
findtime = 600
# кол-во неверных попыток
maxretry = 1
backend = auto

[ssh-ipfw]
enabled = true
# использовать фильтр из примеров
filter = bsd-sshd
# использовать /action.d/bsd-ipfw.conf
action = ssh-ipfw[localhost=78.24.219.97]
# Уведомление в Jabber :))
jabber-whois[name="SSH,IPFW", dest=deathstar@deathstar.name]
# Какой лог парсить
logpath = /var/log/auth.log
# Какой Ip игнорировать
ignoreip = 127.0.0.1

[exim-ipfw]
enabled = true
filter = exim
action = exim-ipfw[localhost=78.24.219.97]
jabber-whois[name="Exim,IPFW", dest=deathstar@deathstar.name]
logpath = /var/log/exim/mainlog
ignoreip = 127.0.0.1

[nginx-ipfw]
enabled = true
filter = nginx
action = nginx-ipfw[localhost=127.0.0.1]
jabber-whois[name="Nginx,IPFW", dest=deathstar@deathstar.name]
logpath = /home/deathstar/www/deathstar.name.access.log
ignoreip = 127.0.0.1

Для уведомления в Jabber должен быть установлен и настроен sendxmpp ( о нем я писал в предыдущих статьях)
Создаем файл /usr/local/etc/fail2ban/action.d/jabber-whois.conf с таким содержимым

[Definition]
actionstart = printf %%b "[Fail2Ban] : started
The jail
has been started successfully.\n
" | /usr/local/bin/sendxmpp ""

actionstop = printf %%b "[Fail2Ban] : stopped
The jail
has been stopped.\n
" | /usr/local/bin/sendxmpp ""

actioncheck =

actionban = printf %%b "[Fail2Ban] : banned
The IP
has just been banned by Fail2Ban after
attempts against .\n\n
Here are more information about :\n
`/usr/bin/whois
`\n
" | /usr/local/bin/sendxmpp ""

actionunban = printf %%b "[Fail2Ban] : unbanned
The IP
has just been unbanned " | /usr/local/bin/sendxmpp ""

[Init]
name = default
dest = root
sender = fail2ban

Создаем фильтры для sshd и exim,у меня они выглядят так
Файл /usr/local/etc/fail2ban/filter.d/bsd-sshd.conf
[INCLUDES]
before = common.conf
[Definition]
_daemon = sshd
failregex = (?:error: PAM: )?[A|a]uthentication (?:failure|error) for .* from \s*$
Did not receive identification string from
$
Failed [-/\w]+ for .* from
(?: port \d*)?(?: ssh\d*)?$
ROOT LOGIN REFUSED.* FROM
\s*$
[iI](?:llegal|nvalid) user .* from
\s*$
User \S+ from
not allowed because not listed in AllowUsers$
authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=
(?:\s+user=.*)?\s*$
refused connect from \S+ \(
\)\s*$
reverse mapping checking getaddrinfo for .* \[
\] .* POSSIBLE BREAK-IN ATTEMPT!$
ignoreregex =

Файл /usr/local/etc/fail2ban/filter.d/exim.conf

[Definition]
failregex = \[\] .*(?:rejected by local_scan|Unrouteable address)
ignoreregex =

Ну и в довесок к статье FreeBSD. Боремся с HTTP-флудом на NGINX средствами IPFW написал фильтр для nginx
Файл /usr/local/etc/fail2ban/filter.d/nginx.conf

[Definition]
failregex = .*(?:"-" "-")
ignoreregex =

Теперь создаем действия бана
Файл /usr/local/etc/fail2ban/action.d/bsd-ipfw.conf

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ipfw table 1 add
actionunban = ipfw table 1 delete

[Init]
localhost = 127.0.0.1

Файл /usr/local/etc/fail2ban/action.d/exim-ipfw.conf

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ipfw table 2 add
actionunban = ipfw table 1 delete

[Init]
localhost = 127.0.0.1

Файл /usr/local/etc/fail2ban/action.d/nginx-ipfw.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ipfw table 3 add
actionunban = ipfw table 1 delete

[Init]
localhost = 127.0.0.1

Пишем правила для ipfw,у меня они в файле /etc/firewall

#!/bin/sh
ipfw='/sbin/ipfw -q'
${ipfw} flush
${ipfw} pipe flush
${ipfw} add check-state
${ipfw} table 1 flush
${ipfw} table 2 flush
${ipfw} table 3 flush
# Ban SSH
${ipfw} add deny ip from table\(1\) to me ssh
# Ban Exim
${ipfw} add deny ip from table\(2\) to me 25,110,143
#Ban Nginx
${ipfw} add deny ip from table\(3\) to me 80,443
${ipfw} add allow all from any to any

Добавляем в /etc/rc.conf
firewall_enable="YES"
firewall_script="/etc/firewall"
fail2ban_enable="YES"

и запускаем
deathstar# sh /etc/firewall && /usr/local/etc/rc.d/fail2ban start