Created custom jail: UFW-probe to catch port-probing.

2018-09-29 17:22:46 -06:00 · 2018-09-29 17:22:46 -06:00 · 3268998234
parent f03c94c8eb
commit 3268998234
2 changed files with 56 additions and 0 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,31 @@
+{
+    "cSpell.enabledLanguageIds": [
+        "asciidoc",
+        "c",
+        "cpp",
+        "csharp",
+        "css",
+        "go",
+        "handlebars",
+        "html",
+        "jade",
+        "javascript",
+        "javascriptreact",
+        "json",
+        "latex",
+        "less",
+        "markdown",
+        "php",
+        "plaintext",
+        "properties",
+        "pub",
+        "python",
+        "restructuredtext",
+        "rust",
+        "scss",
+        "text",
+        "typescript",
+        "typescriptreact",
+        "yml"
+    ]
+}
--- a/etc/fail2ban/jail.d/ufw-probe.conf
+++ b/etc/fail2ban/jail.d/ufw-probe.conf
@ -0,0 +1,25 @@
+[ufw-probe]
+
+# We specify all ports since probing attacks are not limited to any one port.
+port        = all
+
+# This should be specified in your jail.conf but we'll put it here just in case.
+# The localhost might have reasons to probe itself, so it should never be
+# blocked.
+ignoreip    = 127.0.0.1/8 ::1
+
+# By default, UFW logs to this location. Update as necessary to suit your
+# enviroment.
+logpath     = /var/log/ufw.log
+
+# Although timeframes are set in the jail.local, you might want to independently
+# control them for this particular filter so it's more/less aggressive.
+maxretry    = 5
+findtime    = 300
+
+# Because this is a custom filter, we need to point F2B to our custom filter. If
+# you changed the name of that filter file, then update it here without the
+# '.conf' part.
+filter      = ufw-probe
+
+enabled     = true