Merge 08be46168e into 333f105675

2026-06-27 19:21:04 +00:00 · 2026-06-10 02:57:19 +01:00 · 2026-06-10 02:57:19 +01:00 · aaea28877b
commit aaea28877b
parent 333f105675 08be46168e
4 changed files with 26 additions and 0 deletions
--- a/config/filter.d/ufw-port-scan.conf
+++ b/config/filter.d/ufw-port-scan.conf
@ -0,0 +1,15 @@
+# fail2ban filter configuration for ufw blocked events (typically port scans)
+#
+# By default every connection attempt blocked by ufw will be
+# logged, e.g.:
+#
+# Sep 14 20:56:41 sierra kernel: [UFW BLOCK] [...] SRC=<REDACTED> DST=<REDACTED> LEN=40 TOS=0x04 PREC=0x00 TTL=48 ID=5614 PROTO=TCP SPT=34092 DPT=23 WINDOW=43012 RES=0x00 SYN URGP=0
+#
+# By carefully setting this filter we ban every IP that tries too many times to
+# connect to non-allowed ports.
+#
+# Author: Michele Bologna https://www.michelebologna.net/
+
+[Definition]
+failregex = ^\s*\S+ kernel:(?: +\[[^\]]+\])? \[UFW BLOCK\](?: (?:IN=\w+|OUT=|(?:(?!OUT=|IN=|SRC=)[A-Z]+=\S*)))* SRC=<ADDR> DST=\S+
+ignoreregex =
--- a/config/jail.conf
+++ b/config/jail.conf
@ -888,6 +888,10 @@ logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
 backend  = %(syslog_backend)s
 maxretry = 1

+[ufw-port-scan]
+logpath  = %(ufw_log)s
+protocol = all
+maxretry = 20

 [oracleims]
 # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
--- a/config/paths-common.conf
+++ b/config/paths-common.conf
@ -49,6 +49,7 @@ nginx_error_log = /var/log/nginx/*error.log

 nginx_access_log = /var/log/nginx/*access.log

+ufw_log = /var/log/ufw.log

 lighttpd_error_log = /var/log/lighttpd/error.log

--- a/fail2ban/tests/files/logs/ufw-port-scan
+++ b/fail2ban/tests/files/logs/ufw-port-scan
@ -0,0 +1,6 @@
+# failJSON: { "time": "2004-09-14T21:11:55", "match": true , "host": "10.20.30.40" }
+Sep 14 21:11:55 sierra kernel: [UFW BLOCK] IN=eth0 OUT= MAC=ff:01:ff:ad:0e:ff:40:a6:77:42:ff:f0:ff:ff SRC=10.20.30.40 DST=70.40.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34642 DF PROTO=TCP SPT=60214 DPT=6379 WINDOW=29200 RES=0x00 SYN URGP=0
+# failJSON: { "time": "2004-09-14T21:11:56", "match": true , "host": "10.20.30.41" }
+Sep 14 21:11:56 sierra kernel: [123456.789] [UFW BLOCK] IN=eth0 OUT= MAC=ff:01:ff:ad:0e:ff:40:a6:77:42:ff:f0:ff:ff SRC=10.20.30.41 DST=70.40.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34643 DF PROTO=TCP SPT=60215 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
+# failJSON: { "match": false }
+Sep 14 21:11:57 sierra kernel: [UFW ALLOW] IN=eth0 OUT= MAC=ff:01:ff:ad:0e:ff:40:a6:77:42:ff:f0:ff:ff SRC=10.20.30.42 DST=70.40.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34644 DF PROTO=TCP SPT=60216 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0