Feat: add ufw-port-scan filter

Fail2ban filter configuration for ufw blocked events (typically port scans) By default every connection attempt blocked by ufw will be logged, e.g.: Sep 14 20:56:41 sierra kernel: [UFW BLOCK] [...] SRC=<REDACTED> DST=<REDACTED> LEN=40 TOS=0x04 PREC=0x00 TTL=48 ID=5614 PROTO=TCP SPT=34092 DPT=23 WINDOW=43012 RES=0x00 SYN URGP=0 By carefully setting this filter we ban every IP that tries too many times to connect to non-allowed ports.
2026-05-13 14:36:43 +00:00 · 2018-09-14 21:25:04 +02:00 · 2018-09-14 21:25:04 +02:00 · 2d69db17cb
commit 2d69db17cb
parent 61799e15e1
2 changed files with 17 additions and 0 deletions
--- a/config/filter.d/ufw-port-scan.conf
+++ b/config/filter.d/ufw-port-scan.conf
@ -0,0 +1,15 @@
+# fail2ban filter configuration for ufw blocked events (typically port scans)
+#
+# By default every connection attempt blocked by ufw will be
+# logged, e.g.:
+#
+# Sep 14 20:56:41 sierra kernel: [UFW BLOCK] [...] SRC=<REDACTED> DST=<REDACTED> LEN=40 TOS=0x04 PREC=0x00 TTL=48 ID=5614 PROTO=TCP SPT=34092 DPT=23 WINDOW=43012 RES=0x00 SYN URGP=0
+#
+# By carefully setting this filter we ban every IP that tries too many times to
+# connect to non-allowed ports.
+#
+# Author: Michele Bologna https://www.michelebologna.net/
+
+[Definition]
+failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>
+ignoreregex =
--- a/fail2ban/tests/files/logs/ufw-port-scan
+++ b/fail2ban/tests/files/logs/ufw-port-scan
@ -0,0 +1,2 @@
+# failJSON: { "time": "Sep 14 21:11:55", "match": true , "host": "10.20.30.40" }
+Sep 14 21:11:55 sierra kernel: [UFW BLOCK] IN=eth0 OUT= MAC=ff:01:ff:ad:0e:ff:40:a6:77:42:ff:f0:ff:ff SRC=10.20.30.40 DST=70.40.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34642 DF PROTO=TCP SPT=60214 DPT=6379 WINDOW=29200 RES=0x00 SYN URGP=0