1 (edited by jasongo 2019-09-01 21:07:42)

Topic: Aggressive Fail2Ban Rules Using UFW

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9 MariaDB
- Deployed with iRedMail Easy or the downloadable installer? Deployed by hand and coffee
- Linux/BSD distribution name and version: Ubuntu 18.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Nope. Soon.
====

This might be an interesting approach for those experiencing lots of attacks to open ports.

I made a Fail2Ban action and filter that uses UFW logs to filter blocked IP addresses. UFW output the IP address of blocked addresses in the /var/log/ufw.log.

This is useful because some attackers are testing the waters by checking some random ports before attacking the more common ports like 22, 25, 587, etc.

The aggressive approach I made is this: Any valid server communicating with my server should be going directly to the service ports (22, 25, 80, 587, etc...). Any server touching other ports is malicious and therefore should be blocked access to ALL ports.

On a fresh installation of a server, this Fail2Ban rule blocks 120-150 IP addresses every minute. It also reduces the blocked ports coming from postscreen and sshd rules.

So here's how to use this:

1. Create /etc/fail2ban/jail.d/ufw-aggressive.local

[ufw-aggressive]
enabled     = true
filter      = ufw.aggressive
action      = iptables-allports
logpath     = /var/log/ufw.log
findtime    = 3600
maxretry    = 1

2. Create /etc/fail2ban/filter.d/ufw.aggressive.conf

[Definition]
failregex = [UFW BLOCK].+SRC=<HOST> DST
ignoreregex =

3. Restart Fail2Ban. In Ubuntu it is usually with "service fail2ban restart".

NOTE: This trick assumes that your server has UFW installed. If you don't, you can install one and use it as your firewall configurator -OR- adopt the trick by creating a filter for iptables log and activate the logs for iptables.

Be sure also that UFW is logging at /var/log/ufw.log. If not, enable UFW logging and indicate the log it is using in the logpath above.

How to check if this works:
type in the command tail -f /var/log/fail2ban.log to see the banned IP addresses in real time. It will show something like this:

2019-09-01 20:11:47,415 fail2ban.actions        [1859]: NOTICE  [ufw-aggressive] Unban 106.12.61.227
2019-09-01 20:12:29,013 fail2ban.filter         [1859]: INFO    [ufw-aggressive] Found 113.5.97.52 - 2019-09-01 20:12:29
2019-09-01 20:12:29,490 fail2ban.actions        [1859]: NOTICE  [ufw-aggressive] Ban 113.5.97.52
2019-09-01 20:12:37,506 fail2ban.actions        [1859]: NOTICE  [ufw-aggressive] Unban 113.232.178.171
2019-09-01 20:12:48,425 fail2ban.filter         [1859]: INFO    [ufw-aggressive] Found 111.35.33.34 - 2019-09-01 20:12:48
2019-09-01 20:12:48,724 fail2ban.actions        [1859]: NOTICE  [ufw-aggressive] Ban 111.35.33.34
2019-09-01 20:12:56,434 fail2ban.filter         [1859]: INFO    [ufw-aggressive] Found 89.38.145.124 - 2019-09-01 20:12:56
2019-09-01 20:12:56,740 fail2ban.actions        [1859]: NOTICE  [ufw-aggressive] Ban 89.38.145.124
2019-09-01 20:13:11,131 fail2ban.filter         [1859]: INFO    [ufw-aggressive] Found 115.61.82.135 - 2019-09-01 20:13:11
2019-09-01 20:13:11,366 fail2ban.actions        [1859]: NOTICE  [ufw-aggressive] Ban 115.61.82.135
2019-09-01 20:13:21,632 fail2ban.filter         [1859]: INFO    [ufw-aggressive] Found 185.176.27.166 - 2019-09-01 20:13:21
2019-09-01 20:13:21,988 fail2ban.actions        [1859]: NOTICE  [ufw-aggressive] Ban 185.176.27.166

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Aggressive Fail2Ban Rules Using UFW

Thanks for sharing. smile

3

Re: Aggressive Fail2Ban Rules Using UFW

btw, could you share the related ufw configuration/rules?