-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathufw-tricks.txt
111 lines (90 loc) · 6.64 KB
/
ufw-tricks.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
1) Howto change the logout put of ufw.
After installing with for example : ufw-fail2bah-geoip-xtables.sh which enables geo with iptables.
! Note, backported kernels may not work, just a warning check it if you upgraded your kernel.
in the file : /etc/ufw# cat before.rules just before or after the lines :
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# Only allow access to these ports from country NL
-A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 587 -m comment --comment "[UFW SUBMISSION Geoip]" -j LOG --log-prefix "[UFW BLOCK GEO 587-submission] "
-A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 465 -m comment --comment "[UFW SMTPS Geoip]" -j LOG --log-prefix "[UFW BLOCK GEO 465-smtps] "
-A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 143 -m comment --comment "[UFW IMAP Geoip]" -j LOG --log-prefix "[UFW BLOCK GEO 143-imap] "
-A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 993 -m comment --comment "[UFW IMAPS Geoip]" -j LOG --log-prefix "[UFW BLOCK GEO 993-imaps] "
-A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment "[UFW SSH Geoip]" -j LOG --log-prefix "[UFW BLOCK GEO 22-ssh] "
Since you done see these with the ufw command, looking with iptables shows:
iptables -nL | grep GEO
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW -m geoip ! --source-country NL tcp dpt:587 /* [UFW SUBMISSION Geoip] */ LOG flags 0 level 4 prefix "[UFW BLOCK GEO 587-submission"
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW -m geoip ! --source-country NL tcp dpt:465 /* [UFW SMTPS Geoip] */ LOG flags 0 level 4 prefix "[UFW BLOCK GEO 465-smtps] "
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW -m geoip ! --source-country NL tcp dpt:143 /* [UFW IMAP Geoip] */ LOG flags 0 level 4 prefix "[UFW BLOCK GEO 143-imap] "
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW -m geoip ! --source-country NL tcp dpt:993 /* [UFW IMAPS Geoip] */ LOG flags 0 level 4 prefix "[UFW BLOCK GEO 993-imaps] "
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW -m geoip ! --source-country NL tcp dpt:22 /* [UFW SSH Geoip] */ LOG flags 0 level 4 prefix "[UFW BLOCK GEO 22-ssh] "
ANd this results in the /var/log/ufw.log ( or syslog ) in:
Mar 11 16:48:30 core kernel: [366442.757248] [UFW BLOCK GEO 22-ssh] IN=eth0 OUT= MAC=52:54:00:ff:ae:66:80:ac:ac:68:4c:00:08:00 SRC=210.13.64.18 DST=149.210.206.148 LEN=40 TOS=0x00 PREC=0x20 TTL=46 ID=5132 PROTO=TCP SPT=42486 DPT=22 WINDOW=57129 RES=0x00 SYN URGP=0
Mar 11 16:48:30 core kernel: [366443.012491] [UFW BLOCK GEO 22-ssh] IN=eth0 OUT= MAC=52:54:00:ff:ae:66:80:ac:ac:68:4c:00:08:00 SRC=210.13.64.18 DST=149.210.206.148 LEN=60 TOS=0x00 PREC=0x20 TTL=235 ID=43019 DF PROTO=TCP SPT=37743 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Now its easy to add an custom rule into fail2ban to manage these scanning ips.
####################################################################################################
# /etc/ufw/before.rules
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# Start - Added by LvB Anti-DDOS HTTP/HTTPS (1/2 filter ) IPv4
:ufw-antiddos-http - [0:0]
:ufw-antiddos-http-logdrop - [0:0]
# Stop - Added by LvB Anti-DDOS HTTP/HTTPS (1/2 filter ) IPv4
# Start - Added by LvB Anti-DDOS HTTP/HTTPS (2/2 rules ) IPv4
# And the rules below the filter part. 2/2 rules
# limiting the connections per IP at 20 connections / 10 seconds / IP and the packets to 20 packets / second / IP.
#
# Enter rule
-A ufw-before-input -p tcp --dport 80 -j ufw-antiddos-http
-A ufw-before-input -p tcp --dport 443 -j ufw-antiddos-http
# Limit connections per Class C IPv4
-A ufw-antiddos-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw-antiddos-http-logdrop
# Limit connections per IP ( 20 connections per sec )
-A ufw-antiddos-http -m state --state NEW -m recent --name conn_per_ip --set
-A ufw-antiddos-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 20 -j ufw-antiddos-http-logdrop
# Limit packets per IP ( 20 packets per sec )
-A ufw-antiddos-http -m recent --name pack_per_ip --set
-A ufw-antiddos-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 20 -j ufw-antiddos-http-logdrop
# Finally accept
-A ufw-antiddos-http -j ACCEPT
# Log
-A ufw-antiddos-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ANTIDDOS HTTP DROP] "
-A ufw-antiddos-http-logdrop -j DROP
# END - Added by LvB Anti-DDOS HTTP/HTTPS (2/2 rules ) IPv4
####################################################################################################
####################################################################################################
# /etc/ufw/before6.rules
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw6-before-input - [0:0]
:ufw6-before-output - [0:0]
:ufw6-before-forward - [0:0]
# End required lines
# Stop - Added by LvB Anti-DDOS HTTP/HTTPS (1/2 filter ) IPv6
:ufw6-antiddos-http - [0:0]
:ufw6-antiddos-http-logdrop - [0:0]
# Start - Added by LvB Anti-DDOS HTTP/HTTPS (2/2 rules ) IPv6
# limiting the connections per IP at 20 connections / 10 seconds / IP and the packets to 20 packets / second / IP.
# Enter rule
-A ufw6-before-input -p tcp --dport 80 -j ufw6-antiddos-http
-A ufw6-before-input -p tcp --dport 443 -j ufw6-antiddos-http
# Limit connections per Class C ( check todo / IPV6 C-class ? )
-A ufw6-antiddos-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw6-antiddos-http-logdrop
# Limit connections per IP ( 20 connections per sec )
-A ufw6-antiddos-http -m state --state NEW -m recent --name conn_per_ip --set
-A ufw6-antiddos-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 20 -j ufw6-antiddos-http-logdrop
# Limit packets per IP ( 20 packets per sec )
-A ufw6-antiddos-http -m recent --name pack_per_ip --set
-A ufw6-antiddos-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 20 -j ufw6-antiddos-http-logdrop
# Finally accept
-A ufw6-antiddos-http -j ACCEPT
# Log
-A ufw6-antiddos-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ANTIDDOS HTTP DROP] "
-A ufw6-antiddos-http-logdrop -j DROP
# END - Added by LvB Anti-DDOS HTTP/HTTPS (2/2 rules ) IPv6
####################################################################################################