From 2d69db17cb8c6f3d53bf8f6118c8ea1323157ee4 Mon Sep 17 00:00:00 2001
From: Michele Bologna <michele.bologna@gmail.com>
Date: Fri, 14 Sep 2018 21:25:04 +0200
Subject: [PATCH 1/5] Feat: add ufw-port-scan filter

Fail2ban filter configuration for ufw blocked events (typically port scans)

By default every connection attempt blocked by ufw will be logged, e.g.:

    Sep 14 20:56:41 sierra kernel: [UFW BLOCK] [...] SRC=<REDACTED> DST=<REDACTED> LEN=40 TOS=0x04 PREC=0x00 TTL=48 ID=5614 PROTO=TCP SPT=34092 DPT=23 WINDOW=43012 RES=0x00 SYN URGP=0

By carefully setting this filter we ban every IP that tries
too many times to connect to non-allowed ports.
---
 config/filter.d/ufw-port-scan.conf      | 15 +++++++++++++++
 fail2ban/tests/files/logs/ufw-port-scan |  2 ++
 2 files changed, 17 insertions(+)
 create mode 100644 config/filter.d/ufw-port-scan.conf
 create mode 100644 fail2ban/tests/files/logs/ufw-port-scan

diff --git a/config/filter.d/ufw-port-scan.conf b/config/filter.d/ufw-port-scan.conf
new file mode 100644
index 00000000..9a6f1189
--- /dev/null
+++ b/config/filter.d/ufw-port-scan.conf
@@ -0,0 +1,15 @@
+# fail2ban filter configuration for ufw blocked events (typically port scans)
+#
+# By default every connection attempt blocked by ufw will be
+# logged, e.g.:
+#
+# Sep 14 20:56:41 sierra kernel: [UFW BLOCK] [...] SRC=<REDACTED> DST=<REDACTED> LEN=40 TOS=0x04 PREC=0x00 TTL=48 ID=5614 PROTO=TCP SPT=34092 DPT=23 WINDOW=43012 RES=0x00 SYN URGP=0
+#
+# By carefully setting this filter we ban every IP that tries too many times to
+# connect to non-allowed ports.
+#
+# Author: Michele Bologna https://www.michelebologna.net/
+
+[Definition]
+failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>
+ignoreregex =
diff --git a/fail2ban/tests/files/logs/ufw-port-scan b/fail2ban/tests/files/logs/ufw-port-scan
new file mode 100644
index 00000000..f3407d80
--- /dev/null
+++ b/fail2ban/tests/files/logs/ufw-port-scan
@@ -0,0 +1,2 @@
+# failJSON: { "time": "Sep 14 21:11:55", "match": true , "host": "10.20.30.40" }
+Sep 14 21:11:55 sierra kernel: [UFW BLOCK] IN=eth0 OUT= MAC=ff:01:ff:ad:0e:ff:40:a6:77:42:ff:f0:ff:ff SRC=10.20.30.40 DST=70.40.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34642 DF PROTO=TCP SPT=60214 DPT=6379 WINDOW=29200 RES=0x00 SYN URGP=0

From 7b1a816dda943d322f434f904c27fd67f8476ea6 Mon Sep 17 00:00:00 2001
From: Michele Bologna <michele.bologna@gmail.com>
Date: Fri, 14 Sep 2018 21:58:10 +0200
Subject: [PATCH 2/5] Test: fix tests

---
 fail2ban/tests/files/logs/ufw-port-scan | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fail2ban/tests/files/logs/ufw-port-scan b/fail2ban/tests/files/logs/ufw-port-scan
index f3407d80..09f6a071 100644
--- a/fail2ban/tests/files/logs/ufw-port-scan
+++ b/fail2ban/tests/files/logs/ufw-port-scan
@@ -1,2 +1,2 @@
-# failJSON: { "time": "Sep 14 21:11:55", "match": true , "host": "10.20.30.40" }
+# failJSON: { "time": "2004-09-14T21:11:55", "match": true , "host": "10.20.30.40" }
 Sep 14 21:11:55 sierra kernel: [UFW BLOCK] IN=eth0 OUT= MAC=ff:01:ff:ad:0e:ff:40:a6:77:42:ff:f0:ff:ff SRC=10.20.30.40 DST=70.40.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34642 DF PROTO=TCP SPT=60214 DPT=6379 WINDOW=29200 RES=0x00 SYN URGP=0

From aca76842affce0a26ce6f6d2303fc00840d9af21 Mon Sep 17 00:00:00 2001
From: Michele Bologna <michele.bologna@gmail.com>
Date: Sat, 15 Sep 2018 01:39:45 +0200
Subject: [PATCH 3/5] Feat: add config files

---
 config/jail.conf         | 4 ++++
 config/paths-common.conf | 1 +
 2 files changed, 5 insertions(+)

diff --git a/config/jail.conf b/config/jail.conf
index 01e1fdf7..7df833d9 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -898,6 +898,10 @@ logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
 backend  = %(syslog_backend)s
 maxretry = 1
 
+[ufw-port-scan]
+logpath  = %(ufw_log)s
+protocol = all
+maxretry = 20
 
 [oracleims]
 # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
diff --git a/config/paths-common.conf b/config/paths-common.conf
index ad9f6f28..9d546bc1 100644
--- a/config/paths-common.conf
+++ b/config/paths-common.conf
@@ -49,6 +49,7 @@ nginx_error_log = /var/log/nginx/*error.log
 
 nginx_access_log = /var/log/nginx/*access.log
 
+ufw_log = /var/log/ufw.log
 
 lighttpd_error_log = /var/log/lighttpd/error.log
 

From f1e6f0ec21b5dff4aa9b7944eb504ec5fb67381f Mon Sep 17 00:00:00 2001
From: Michele Bologna <michele.bologna@gmail.com>
Date: Mon, 3 Apr 2023 18:56:30 +0000
Subject: [PATCH 4/5] Fix: use a safer regex

---
 config/filter.d/ufw-port-scan.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/filter.d/ufw-port-scan.conf b/config/filter.d/ufw-port-scan.conf
index 9a6f1189..ace09d8b 100644
--- a/config/filter.d/ufw-port-scan.conf
+++ b/config/filter.d/ufw-port-scan.conf
@@ -11,5 +11,5 @@
 # Author: Michele Bologna https://www.michelebologna.net/
 
 [Definition]
-failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>
+failregex = ^\s*\S+ kernel:(?: +\[[^\]]+\])? \[UFW (?:LIMIT )?BLOCK\] (?:\b(?:IN=\w+|OUT=|(?:(?!OUT=|IN=)[A-Z]+=[^ \[]*)+) )*SRC=<ADDR> DST=\S+
 ignoreregex =

From 08be46168e8dcfa8b9fe5c5f52523796e7fb2834 Mon Sep 17 00:00:00 2001
From: Michele Bologna <michele.bologna@gmail.com>
Date: Tue, 17 Mar 2026 09:04:37 +0100
Subject: [PATCH 5/5] fix(ufw-port-scan): tighten failregex per maintainer
 feedback

- Remove loose \b catch-all before key=value groups
- Add SRC= to negative lookahead to prevent consuming the SRC field
- Use \S* instead of [^ \[]*  for value matching
- Move space before SRC= outside the repeating group for proper anchoring
- Add test cases: kernel timestamp variant and a non-matching UFW ALLOW line
---
 config/filter.d/ufw-port-scan.conf      | 2 +-
 fail2ban/tests/files/logs/ufw-port-scan | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/filter.d/ufw-port-scan.conf b/config/filter.d/ufw-port-scan.conf
index ace09d8b..a0802786 100644
--- a/config/filter.d/ufw-port-scan.conf
+++ b/config/filter.d/ufw-port-scan.conf
@@ -11,5 +11,5 @@
 # Author: Michele Bologna https://www.michelebologna.net/
 
 [Definition]
-failregex = ^\s*\S+ kernel:(?: +\[[^\]]+\])? \[UFW (?:LIMIT )?BLOCK\] (?:\b(?:IN=\w+|OUT=|(?:(?!OUT=|IN=)[A-Z]+=[^ \[]*)+) )*SRC=<ADDR> DST=\S+
+failregex = ^\s*\S+ kernel:(?: +\[[^\]]+\])? \[UFW BLOCK\](?: (?:IN=\w+|OUT=|(?:(?!OUT=|IN=|SRC=)[A-Z]+=\S*)))* SRC=<ADDR> DST=\S+
 ignoreregex =
diff --git a/fail2ban/tests/files/logs/ufw-port-scan b/fail2ban/tests/files/logs/ufw-port-scan
index 09f6a071..fd779442 100644
--- a/fail2ban/tests/files/logs/ufw-port-scan
+++ b/fail2ban/tests/files/logs/ufw-port-scan
@@ -1,2 +1,6 @@
 # failJSON: { "time": "2004-09-14T21:11:55", "match": true , "host": "10.20.30.40" }
 Sep 14 21:11:55 sierra kernel: [UFW BLOCK] IN=eth0 OUT= MAC=ff:01:ff:ad:0e:ff:40:a6:77:42:ff:f0:ff:ff SRC=10.20.30.40 DST=70.40.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34642 DF PROTO=TCP SPT=60214 DPT=6379 WINDOW=29200 RES=0x00 SYN URGP=0
+# failJSON: { "time": "2004-09-14T21:11:56", "match": true , "host": "10.20.30.41" }
+Sep 14 21:11:56 sierra kernel: [123456.789] [UFW BLOCK] IN=eth0 OUT= MAC=ff:01:ff:ad:0e:ff:40:a6:77:42:ff:f0:ff:ff SRC=10.20.30.41 DST=70.40.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34643 DF PROTO=TCP SPT=60215 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
+# failJSON: { "match": false }
+Sep 14 21:11:57 sierra kernel: [UFW ALLOW] IN=eth0 OUT= MAC=ff:01:ff:ad:0e:ff:40:a6:77:42:ff:f0:ff:ff SRC=10.20.30.42 DST=70.40.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=34644 DF PROTO=TCP SPT=60216 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0