Just a notice to me / link #1945 (similar thing for iptables, port scans, etc).

Coverage increased (+0.0003%) to 97.775% when pulling e8d1f07 on mbologna:ufw-port-scan into 8a0c06b on fail2ban:0.11.

Coverage remained the same at 97.774% when pulling e8d1f07 on mbologna:ufw-port-scan into 8a0c06b on fail2ban:0.11.

Is this going to be adopted?

Is this going to be adopted?

I hope so! Maintainer @sebres, what can I do to help you merge this?

I'm not a maintainer :) a dev either.
As for merge, in my opinion it is too risky to use such a filters (see #1945 (comment)) without to know what you do.
Anyway why do you want the filter will be added to stock fail2ban necessarily?
Everyone who needs it can do it simply adding such a jail (with empty filter and direct failregex).

But OK... basically two things bother me here:

1. there are dozen firewalls logging with iptables to kernel log with almost the same format... so would be absolutely nice if it can be made configurable (so we will not have later dozen filters doing basically the same thing).
2. too vulnerable failregex (for example take a look aforementioned comment). Just to compare how it could be:

- .*\[UFW BLOCK\] IN=.* SRC=<HOST>
+ # ^\s*\S+ kernel:(?: +\[[^\]]+\])? \[UFW BLOCK\](?: (?:IN=\w+|OUT=|(?:(?!OUT=|IN=|SRC=)[A-Z]+=\S*)))* SRC=<ADDR> DST=\S+
+ ^\s*\S+ kernel:(?: +\[[^\]]+\]){0,2}(?: (?:IN=\w+|OUT=|(?:(?!OUT=|IN=|SRC=)[A-Z]+=\S*)))* SRC=<ADDR> DST=\S+

it is anchored, does not contain catch-all's, monitoring incoming traffic only, etc

^\s*\S+ kernel:(?: +\[[^\]]+\])?[^\n\[=]*(?:(?<= )(?:IN=\w+|OUT=|(?:(?!OUT=|IN=)[A-Z]+=[^ \[]*)+) )*SRC=<ADDR> DST=\S+

Regex proposed by you on Jan 23 is not working either (starting year 2020 I think).
I have checked it upon ufw.log syslog and kern.log.
Would you please to remove or correct it to not misguide people landed here by google search.

$ fail2ban-regex  /var/log/ufw.log '^\s*\S+ kernel:(?: +\[[^\]]+\])?[^\n\[=]*(?:(?<= )(?:IN=\w+|OUT=|(?:(?!OUT=|IN=)[A-Z]+=[^ \[]*)+) )*SRC=<ADDR> DST=\S+'

Running tests
=============
Use   failregex line : ^\s*\S+ kernel:(?: +\[[^\]]+\])?[^\n\[=]*(?:(?<= )...
Use         log file : /var/log/ufw.log
Use         encoding : UTF-8

Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
|  [20478] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 20478 lines, 0 ignored, **0 matched, 20478 missed**
[processed in 0.65 sec]

Regex proposed by you on Jan 23 is not working either (starting year 2020 I think).

May be ufw blocked events simply not logged there? :) But if you are sure...

Would you please to remove or correct it to not misguide people landed here by google search.

I could, if you'd provide a "new" log-format you have now.

I could, if you'd provide a "new" log-format you have now.

Original log but IPs are faked.
https://pastebin.com/Du6yuxJA

Done (I corrected the comment above also):

Here are the REs:

1. for [UFW BLOCK]:

^\s*\S+ kernel:(?: +\[[^\]]+\])? \[UFW BLOCK\](?: (?:IN=\w+|OUT=|(?:(?!OUT=|IN=|SRC=)[A-Z]+=\S*)))* SRC=<ADDR> DST=\S+

2. common, for any other firewall logging with iptables to kernel log:

^\s*\S+ kernel:(?: +\[[^\]]+\]){0,2}(?: (?:IN=\w+|OUT=|(?:(?!OUT=|IN=|SRC=)[A-Z]+=\S*)))* SRC=<ADDR> DST=\S+

Done (I corrected the comment above also)

Works perfectly.
I know this is not the best way to fight port scanners but it helps to block the most inadequate ones.
Thanks for the help!

Is this stale?

will this be released?

will this be released?

Maybe... (I already provided my thoughts about it).
Although nobody hinders one to use this filter/failregexe as it is.