I finally was able to put every piece of the puzzle together, took a long time, lots of testing and modifications, I'm sure other people can benefit from this, maybe there's a place to put this in the wiki.


How to install latest fail2ban 0.8.8 on FreeBSD 6.2 with outdated ports with a working SSH and recidive jail

Make sure you deinstall, clean and delete the old port
  cd /usr/ports/security/py-fail2ban
  make clean
  make deinstall
  rm -fr /usr/ports/security/py-fail2ban/*


Install the latest port
  csup -g -L 2 -1 -h cvsup2.uk.FreeBSD.org -i ports/security/py-fail2ban /usr/share/examples/cvsup/ports-supfile
  make
  make install
  make clean


Add this line in /etc/rc.conf
  fail2ban_enable="YES"


Start the service to make sure everything is working
  /usr/local/etc/rc.d/fail2ban start


Add a new regex line to catch SSH authentication failure
  nano /etc/fail2ban/filter.d/sshd.conf
  Add : ^%(__prefix_line)s(?:error: PAM: )?authentication error for .* from <HOST>\s*$


By default, fail2ban will ban an IP with a 400 rule number in IPFW. However, rule number 300 accept everything.
To get a list of the rule number type : ipfw -t list
Since IPFW goes from highest rule to the lowest, it will ban the IP at rule #400 but accept it at rule #300, so
we must modify the rule that fail2ban uses. An almost working solution can be found here :
http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_%2810.4%29
The code below as been modified because the increment of the variable t didn't work (using /bin/csh)
  nano /usr/local/etc/fail2ban/action.d/ipfw.conf
  Comment out : actionban = ipfw add deny tcp from <ip> to <localhost> <port>
  Add :
    actionban = t=170
    while [ `ipfw list |grep -ic 00$t | awk '{print $1;}'` != '0' ]
    do let t+=1
    done
    ipfw add $t deny tcp from <ip> to any
This will start the rule at # 00170, you can modify that number to accomodate your firewall rules.


Also, in the same file, the actionunban must be modified so that it only retrieve one line when unbanning, else the recidive jail will not work
  Comment out : actionunban = ipfw delete `ipfw list | grep -i <ip> | awk '{print $1;}'`
  Add : actionunban = ipfw delete `ipfw list | grep -i <ip> | head -n 1 | awk '{print $1;}'`


Modify your jail :
  nano /usr/local/etc/fail2ban/jail.conf
  Add :
    [ssh-ipfw]
    enabled  = true
    filter   = sshd
    action   = ipfw[localhost=127.0.0.1] 
              sendmail-whois-lines[name="SSH-IPFW", dest=your_email@something.com, lopath=/var/log/auth.log, sender=fail2ban@your_server.com]
    logpath  = /var/log/auth.log
    bantime=20
    findtime=20
    maxretry=1
Small bantime and findtime, just for testing.

  Add :
    [recidive]
    enabled  = true
    filter   = recidive
    action   = ipfw[locahost=127.0.0.1, name=recidive]
               sendmail-whois-lines[name="recidive-ipfw", dest=your_email@something.com, logpath=/var/log/fail2ban.log, sender=fail2ban@your_server.com]
    logpath  = /var/log/fail2ban.log
    bantime  = 60
    findtime = 60
    maxretry = 3
Small bantime and findtime, just for testing.


Restart the service and test.
  /usr/local/etc/rc.d/fail2ban reload