asif
/
fail2banUFW
1
0
Fork 0
Code Issues Pull Requests Releases 3 Wiki Activity
Page: 08. The UFW filter
Pages
01. Introduction 02. Installing Fail2Ban 03. Convenience script 04. Applying changes (restarting Fail2Ban) 05. fail2ban.conf 06. jail.local 07. Jails 08. The UFW filter 09. UFW action file 10. Recidivists (repeat offenders) 11. Final thoughts
1 08. The UFW filter
Asif Bacchus edited this page 2019-05-21 07:17:05 -06:00
Table of Contents

The UFW filter (filter.d/ufw-probe.conf)

This really is the core of the entire set up, so we'll review how it works. First starting with how F2B decides to enact a ban and then looking at the ignore entry.

Address to block

When F2B is parsing ufw.log, it has to be told what entry denotes a failure and increments the retry counter toward a ban. This is done via a regular expression (REGEX):

failregex = .*\[UFW BLOCK\] IN=.* SRC=<HOST>

Specifically, this matches any line containing '[UFW BLOCK]', incoming from any host and reads the source address as the 'HOST' to block.

Address to ignore

When F2B finds an entry that matches the failregex as above, it can also be told to further look at that entry to see if it should be ignored. This is the ignoreregex. Specifically here, I have set it up to ignore LAN addresses that are communicating via multicast. Let's look at the regex first and then get into the reasoning after.

ignoreregex = SRC=(10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|fe\w*\:).* PROTO=UDP.* DPT=(1900|3702|5353|5355) LEN=\d*\s\s$

Breaking this down, we're telling F2B to ignore anything that matches the following conditions in an otherwise blockable event:

  1. Source address starts with '10.' OR
  2. Source address starts with anything in the range '172.16-31.' OR
  3. Source address starts with '192.168.' OR
  4. Source address starts with 'fe??:'; AND
  5. Packet is UDP; AND
  6. Packet has been received on any of ports 1900, 3702, 5353 or 5355

Reasoning

For the first 3 rules, we are specifying IPv4 private address spaces. Specifically those address spaces are:

CIDR subnet IP address range
10.0.0.0/8 10.0.0.0 - 10.255.255.255
172.16.0.0/12 172.16.0.0 - 172.31.255.255
192.168.0.0/16 192.168.0.0 - 192.168.255.255

The fourth rule is a little trickier since it takes into account the RFC specs and not just common practice. IPv6 link-local addresses nearly always start with FE80 but the rules state that the actual subnet is FE80::/10. That 10 makes this tricky because it maps over the last four bits of the first octet (last two characters). Therefore the actual range is FE80:: - FEBF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF. This means that the only thing we can check in a regex and be sure it's correct is the first two characters, in this case 'FE' since that will always be included. In this case, we check for 'FE' followed by 1 or more alphanumeric characters since we know it's at least 'FE8' and remember that 'FE80' could be contracted to 'FE8::'.

What about the ports? Here's where the overall reasoning of this entire exclusion comes into play. In a typical home/SOHO LAN setup, there is a lot of cross-talk between systems that ends up getting machines banned by Fail2Ban. Most of this traffic is multicast traffic for things like DLNA devices, Chromecasts or really any UPnP devices. Home routers are notorious for this as are media centers and even all installations of Google Chrome (yes, your browser!) since it checks every few minutes for any Chromecasts on the network. In addition, many people have WSD capable printers which also advertise. Finally, anyone running Windows Vista or later machines is nearly 100% using IPv6 at least on the machine itself and that results in link-local multicast name resolution packets being sent out. Here's a list of the ports I have just talked about

Port IANA registered function
1900 Simple Service Discovery Protocol (SSDP) -- used by UPnp devices to advertise their existance
3702 Web Services for Devices (WSD) -- used to advertise and coordinate activities
5353 Multicast Domain Name Service (mDNS) -- name resolution without a formal DNS server
5355 Link-Local Multicast Name Resolution (LLMNR) -- IPv4 & IPv6 name resolution on the same link

So what does this all mean? Virtually all LAN devices send these packets out to check if clients want to access services they offer or if they could be using services other systems are offering. Also, just to check out the names of systems they might need to contact at some point. However, when these packets hit a UFW protected system, it generates a [UFW BLOCK] and then our F2B filter thinks this is a bannable offence. The result? Our LAN machines get banned. The typical reaction, 'ignore the LAN address range'. However, that is an overreaction and it's better to just ignore this normal, innocuous multicast traffic instead. If we just ignore the entire LAN subnet, then actual malicious port-probing from a compromised machine would not get blocked. Hence, the creation of this rule and the genesis of this long write-up. I'm sure you've figured this out, but we go through the trouble of checking that the source is on the LAN so that we can still ban internet machines that are tying to use/spoof traffic on these ports.