potential ufw and fail2ban conflicts

Solution 1:

You can use ufw and fail2b together, but as indicated earlier, the order of (ufw) rules is what is important.

Out of the box, fail2ban uses iptables and inserts rules first in the INPUT chain. This will not do any harm or conflict with ufw.

If you wish to fully integrate fail2ban to use ufw (rather then iptables). You will need to edit a number of files including

/etc/fail2ban/jail.local

jail.local is where you define your services , including what port they are listening on (think changing ssh to a non-default port) and what action to take.

**Please note*: Never ever edit jail.conf, your changes should be made in jail.local! That file begins with this:

# Changes:  in most of the cases you should not modify this
#           file, but provide customizations in jail.local file,
#           or separate .conf files under jail.d/ directory

Using ssh as an example, note the definition of a non-default port as well =)

[ssh]
enabled = true
banaction = ufw-ssh
port = 2992
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

You then configure fail2ban to use ufw in (one .conf file for each service)

/etc/fail2ban/action.d/ufw-ssh.conf

The syntax is

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app OpenSSH
actionunban = ufw delete deny from <ip> to any app OpenSSH

Note: You configure fail2ban to use ufw and to insert new rules FIRST using the "insert 1" syntax. The delete will find the rule regardless of order.

There is a nice blog post that goes into more detail here

http://blog.vigilcode.com/2011/05/ufw-with-fail2ban-quick-secure-setup-part-ii/

[EDIT] For ubuntu 16.04+

by default a "defaults-debian.conf" in /etc/fail2ban/jail.d with content

[sshd]
enabled = true

will activated a the ssh protection of fail2ban.

You need to put it at false.

Then create a jail.local like you would do in general, mine would be like this:

[ssh-with-ufw] 
enabled = true 
port = 22 
filter = sshd 
action = ufw[application="OpenSSH", blocktype=reject] 
logpath = /var/log/auth.log 
maxretry = 3

There is already a ufw.conf in the fail2ban default installation so no need to create one.

The only specific change for you jail.local would be at action line where you need to put the application concerned for the protection and what you want to get as result.

ufw tend to detect automatically a certain amount of app running using the network. To have the list just type sudo ufw app list. It's case-sensitive.

reload fail2ban and you'll no longer see the fail2ban chain and if any IP get a block you'll see it in sudo ufw status

Solution 2:

Installing 0.9.5 of fail2ban included a ufw action which I simply had to to set for the banaction

Solution 3:

I have been using fail2ban and ufw for years on couple of different computers, and never had any problems. To setup fail2ban:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano jail.local

Now edit the file as you wish, for example if you want to block unauthorized ssh find the lines:

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

if "enabled" is set to "false", change it to "true" as noted here. After you set the rules you need to restart the fail2ban process:

sudo /etc/init.d/fail2ban restart

If you've opened the port 22 on your ufw firewall fail2ban will ban the clients that try to connect more than 6 times without success, it will not break your firewall.