Created custom jail: UFW-probe to catch port-probing.

2018-09-29 17:22:46 -06:00 · 2018-09-29 17:22:46 -06:00 · 3268998234
commit 3268998234
parent f03c94c8eb
2 changed files with 56 additions and 0 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,31 @@
 {
    "cSpell.enabledLanguageIds": [
        "asciidoc",
        "c",
        "cpp",
        "csharp",
        "css",
        "go",
        "handlebars",
        "html",
        "jade",
        "javascript",
        "javascriptreact",
        "json",
        "latex",
        "less",
        "markdown",
        "php",
        "plaintext",
        "properties",
        "pub",
        "python",
        "restructuredtext",
        "rust",
        "scss",
        "text",
        "typescript",
        "typescriptreact",
        "yml"
    ]
 }
--- a/etc/fail2ban/jail.d/ufw-probe.conf
+++ b/etc/fail2ban/jail.d/ufw-probe.conf
@ -0,0 +1,25 @@
 [ufw-probe]
 # We specify all ports since probing attacks are not limited to any one port.
 port        = all
 # This should be specified in your jail.conf but we'll put it here just in case.
 # The localhost might have reasons to probe itself, so it should never be
 # blocked.
 ignoreip    = 127.0.0.1/8 ::1
 # By default, UFW logs to this location. Update as necessary to suit your
 # enviroment.
 logpath     = /var/log/ufw.log
 # Although timeframes are set in the jail.local, you might want to independently
 # control them for this particular filter so it's more/less aggressive.
 maxretry    = 5
 findtime    = 300
 # Because this is a custom filter, we need to point F2B to our custom filter. If
 # you changed the name of that filter file, then update it here without the
 # '.conf' part.
 filter      = ufw-probe
 enabled     = true