From d0961917b1985755e240fa5e827edf53372b3fb6 Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Mon, 20 May 2019 12:03:46 -0600 Subject: [PATCH] ignore local network multicast device discovery --- etc/fail2ban/filter.d/ufw-probe.conf | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/etc/fail2ban/filter.d/ufw-probe.conf b/etc/fail2ban/filter.d/ufw-probe.conf index 53d6811..33404b9 100644 --- a/etc/fail2ban/filter.d/ufw-probe.conf +++ b/etc/fail2ban/filter.d/ufw-probe.conf @@ -1,3 +1,23 @@ [Definition] failregex = .*\[UFW BLOCK\] IN=.* SRC= -ignoreregex = + +# ignore common multicast device discovery calls on LOCAL IPv4/IPv6 networks +# still ban non-local (WAN) calls to any associated ports +ignoreregex = SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|fe\w*\:).* PROTO=UDP.* DPT=(1900|3702|5353|5355) LEN=\d*\s\s$ + + +# NOTES: +# IPv6 link local is fe80::/10 (fe80::-febf:ffff...ffff), so only 'fe' will +# always match +# IPv4 private ranges are: +# 10.0.0.0/8 (10.0.0.0-10.255.255.255) +# 172.16.0.0/12 (172.16.0.0-172.31.255.255) +# 192.168.0.0/16 (192.168.0.0-192.168.255.255) +# Multicast calls are done over UDP Ports. Common ports: +# 1900 = SSDP (dlna devices, chromecast, most UPnP devices) +# 3702 = WSD (printers mostly) +# 5353 = multicast DNS (mDNS) +# 5355 = link-local multicast name resolution (LLMNR) +# Excluding these ports on the LAN prevents unwanted bans without having to +# ignore all LAN addresses in their entirety since compromised LAN systems are +# still a very common attack vector.