My Tricks with UFW, Fail2ban, and Python

I am using a combination of tools to monitor, temporarily ban, and block problem IPs that attempt to brute force SSH on my Ubuntu server. Then allow SSH, so I can manage my server.

First, I installed ufw to easily create firewall rules. Below commands allow me to show all available options. You can list pre-configured apps that I can allow or block. I can also get more info on a specific app.

Finally, enable it and you should see output like below:

Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Now, you can tail the ufw.log in /var/log and soon see some messages, like this guy who wants to see if my telnet is enabled.

Nov 30 12:38:08 redacted kernel: [2570174.376890] [UFW BLOCK] IN=eth0 OUT= MAC=                       SRC= DST=                       LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=6396 PROTO=TCP SPT=49323 DPT=23 WINDOW=14600 RES=0x00 SYN URGP=0

Secondly, I installed a tool named fail2ban. You can follow some of these How-To’s on how to configure fail2ban, but I did a pretty basic config that will just temporarily ban an IP that has multiple SSH login failures in a relatively short period of time.

Once fail2ban is installed and configured to your liking, you can eventually check the fail2ban.log in /var/log for IPs… like this guy.

2016-11-30 12:39:33,796 fail2ban.filter [32600]: INFO [sshd] Found
2016-11-30 12:39:34,458 fail2ban.actions [32600]: NOTICE [ssh] Ban
2016-11-30 12:49:33,208 fail2ban.actions [32600]: NOTICE [sshd] Unban
2016-11-30 12:49:35,116 fail2ban.actions [32600]: NOTICE [ssh] Unban
2016-11-30 12:51:06,213 fail2ban.filter [32600]: INFO [sshd] Found
2016-11-30 12:51:06,228 fail2ban.filter [32600]: INFO [ssh] Found
2016-11-30 12:51:06,277 fail2ban.filter [32600]: INFO [ssh] Found
2016-11-30 12:51:06,285 fail2ban.filter [32600]: INFO [sshd] Found
2016-11-30 12:51:07,958 fail2ban.filter [32600]: INFO [sshd] Found
2016-11-30 12:51:07,960 fail2ban.filter [32600]: INFO [ssh] Found

This poor guy seems to be pretty persistent and even after the 10 minute ban period, keeps on trying. So we are going to totally deny him in firewall. But first, let’s get some info on the IP using another one of my little tools found here.

Using this script we find out a little more about him:

| IP —>
| ISP —> Amazon Technologies
| ORG —>
| Region —> Virginia
| Country —> United States

Hmm, Virginia… it’s obviously ‘The Man‘, so denied he goes…

Actually, what I do with the fail2ban.log is I added an entry to my crontab like this:

This will run when scheduled and pull all the Banned IP from the fail2ban.log and run the IP against my Python script to provide location and other info, then save it to a file I can check later.

If I want to check stats on where most of the attacks come from I now have a report. Also, I can run this command to add all with deny rules to firewall.

One other thing I do with my ufw.log is look at who is trying certain ports, like my telnet port which is closed. In my ufw.log which is only a little older than 2 days see how many different IP have tried it.

# ls -al /var/log/ufw.log
-rw-r—– 1 syslog adm 1974229 Nov 30 15:25 /var/log/ufw.log

# head -1 /var/log/ufw.log | awk ‘{print $1, $2, $3}’
Nov 28 06:26:16

# grep “DPT=23” /var/log/ufw.log | cut -d\= -f5 | awk ‘{print $1}’ | sort -u | wc -l

Wow… 2149 different IPs… shame shame shame…

On a side note, With this many, we need to make sure we are using the API that lets us do this many requests… check my github for more options with higher rate limits > here

Firewalls, Linux, Network Security, Python Scripts

Leave a Reply