Published on
Takes approximately 1 minute to read
Post History

Fail2ban Repeat UFW Offenders

The Jail

Fail2Ban is a great project, completely recommended for any public facing server. For the likewise, this is a UFW jail to block repeated UFW offenders.

Create a file /etc/fail2ban/filter.d/ufw-blocked.conf with:

TOML, also INI
code block
failregex = ^.*\[UFW BLOCK\] .+ SRC=<HOST> DST=.*$
ignoreregex =

And update /etc/fail2ban/jail.local with something like the following:

TOML, also INI
code block
bantime = 1h
bantime.increment = true
bantime.rndtime = 3600
ignoreip = ::1

enabled = true
logpath = /var/log/ufw.log
banaction = iptables-allports

And make sure fail2ban gets the new configuration:

code block
systemctl restart fail2ban


The idea is that anyone port scanning is up to no good, so just block everything (see iptables-allports) until they go away - might also make the server a bit more stealthy. To be honest, I likely just added this to make the UFW logs less spammy.