Published on
Takes approximately 1 minute to read
Post History

Fail2ban Repeat UFW Offenders

The Jail

Fail2Ban is a great project, completely recommended for any public facing server. For the likewise, this is a UFW jail to block repeated UFW offenders.

Create a file /etc/fail2ban/filter.d/ufw-blocked.conf with:

TOML, also INI
code block
Skip
[Definition]
failregex = ^.*\[UFW BLOCK\] .+ SRC=<HOST> DST=.*$
ignoreregex =

And update /etc/fail2ban/jail.local with something like the following:

TOML, also INI
code block
Skip
[DEFAULT]
bantime = 1h
bantime.increment = true
bantime.rndtime = 3600
ignoreip = 127.0.0.1/8 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[ufw-blocked]
enabled = true
logpath = /var/log/ufw.log
banaction = iptables-allports

And make sure fail2ban gets the new configuration:

Bash
code block
Skip
systemctl restart fail2ban

Why?

The idea is that anyone port scanning is up to no good, so just block everything (see iptables-allports) until they go away - might also make the server a bit more stealthy. To be honest, I likely just added this to make the UFW logs less spammy.