-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Add filter for filtering ufw blocked events #2225
base: 0.11
Are you sure you want to change the base?
Conversation
c3b9876
to
25add66
Compare
Just a notice to me / link #1945 (similar thing for iptables, port scans, etc). |
Fail2ban filter configuration for ufw blocked events (typically port scans) By default every connection attempt blocked by ufw will be logged, e.g.: Sep 14 20:56:41 sierra kernel: [UFW BLOCK] [...] SRC=<REDACTED> DST=<REDACTED> LEN=40 TOS=0x04 PREC=0x00 TTL=48 ID=5614 PROTO=TCP SPT=34092 DPT=23 WINDOW=43012 RES=0x00 SYN URGP=0 By carefully setting this filter we ban every IP that tries too many times to connect to non-allowed ports.
0e5ea39
to
28fda54
Compare
28fda54
to
b06e247
Compare
Is this going to be adopted? |
I hope so! Maintainer @sebres, what can I do to help you merge this? |
I'm not a maintainer :) a dev either. But OK... basically two things bother me here:
- .*\[UFW BLOCK\] IN=.* SRC=<HOST>
+ # ^\s*\S+ kernel:(?: +\[[^\]]+\])? \[UFW BLOCK\](?: (?:IN=\w+|OUT=|(?:(?!OUT=|IN=|SRC=)[A-Z]+=\S*)))* SRC=<ADDR> DST=\S+
+ ^\s*\S+ kernel:(?: +\[[^\]]+\]){0,2}(?: (?:IN=\w+|OUT=|(?:(?!OUT=|IN=|SRC=)[A-Z]+=\S*)))* SRC=<ADDR> DST=\S+ it is anchored, does not contain catch-all's, monitoring incoming traffic only, etc |
Regex proposed by you on Jan 23 is not working either (starting year 2020 I think).
|
May be ufw blocked events simply not logged there? :) But if you are sure...
I could, if you'd provide a "new" log-format you have now. |
Original log but IPs are faked. |
Done (I corrected the comment above also): Here are the REs:
|
Works perfectly. |
Is this stale? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change...
However as already mentioned above it's too risky (because settings dependent and too error-prune), so I'm still not convinced fail2ban really needs filters like that...
will this be released? |
Maybe... (I already provided my thoughts about it). |
Fail2ban filter configuration for ufw blocked events (typically port scans)
By default every connection attempt blocked by ufw will be logged, e.g.:
By carefully setting this filter we ban every IP that tries too many times to connect to non-allowed ports.