Assuming Fail2Ban is in place, edit the config file as below;
$ sudo nano /etc/fail2ban/jail.local
Add new section in jail.local:
[ufw-port-scan]
enabled = true
ignoreip = 127.0.0.1/8
port = all
filter = ufw-port-scan
banaction = ufw
logpath = /var/log/ufw.log
maxretry = 20
Create new filter as follows:
$ sudo nano /etc/fail2ban/filter.d/ufw-port-scan.conf
Add new lines in ufw-port-scan.conf:
[Definition]
failregex = .*\[UFW BLOCK\] IN=.* SRC=
ignoreregex =
Create ban action config file as follows:
Add new lines in ufw.conf:
Have a service restart and it's good to go.
$ sudo nano /etc/fail2ban/action.d/ufw.conf
Add new lines in ufw.conf:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from to any
actionunban = ufw delete deny from to any
Have a service restart and it's good to go.
$ sudo service fail2ban restart
It's possible to run a test for the regex rule as well:
$ fail2ban-regex /var/log/ufw.log '.*\[UFW BLOCK\] IN=.* SRC='
Then you might get some results back like these:
Running tests
=============
Use failregex line : .*\[UFW BLOCK\] IN=.* SRC=
Use log file : /var/log/ufw.log.1
Results
=======
Failregex: 163 total
|- #) [# of hits] regular expression
| 1) [163] .*\[UFW BLOCK\] IN=.* SRC=
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [163] MONTH Day Hour:Minute:Second
`-
Lines: 163 lines, 0 ignored, 163 matched, 0 missed
Hi,
ReplyDeleteI followed this guide but the result of
fail2ban-regex /var/log/ufw.log '.*\[UFW BLOCK\] IN=.* SRC='
is:
Use failregex line : .*\[UFW BLOCK\] IN=.* SRC=
ERROR: No failure-id group in '.*\[UFW BLOCK\] IN=.* SRC='
Any ideas?
this is wrong regex. It should include HOST in SRC sentence:
DeleteSRC=