3

I'm trying to block IP addresses with fail2ban and ufw with the following configuration and the default ufw.conf in /etc/fail2ban/action.d.

Jail config

[app-custom]
enabled = true
maxretry = 1
journalmatch =
backend = polling
logpath = %(log_path)s
findtime = 120
bantime = -1
banaction = ufw[application=$(app), blocktype=reject]

ufw config

actionstart =

actionstop =

actioncheck =

actionban = [ -n "<application>" ] && app="app <application>"
            ufw insert <insertpos> <blocktype> from <ip> to <destination> $app

actionunban = [ -n "<application>" ] && app="app <application>"
              ufw delete <blocktype> from <ip> to <destination> $app

[Init]
# Option: insertpos
# Notes.:  The position number in the firewall list to insert the block rule
insertpos = 1

# Option: blocktype
# Notes.: reject or deny
blocktype = reject

# Option: destination
# Notes.: The destination address to block in the ufw rule
destination = any

# Option: application
# Notes.: application from sudo ufw app list
application =

# DEV NOTES:
# 
# Author: Guilhem Lettron
# Enhancements: Daniel Black

For now, everything is correctly set up because I receive fail2ban notifications about banned IP, but I don't see any banned IP addresses in ufw status.

How can I make fail2ban work with ufw to block IP addresses correctly?

Thank you

Yohan W. Dunon
  • 163
  • 1
  • 1
  • 10
  • 2
    1. Take a look at fail2ban.log for some errors. 2. I guess specifying of `application=$(app)` as parameter for action is not correct, you have to either use real application (known by ufw) or remove it / set it to empty value – sebres Jun 24 '21 at 15:32
  • @sebres the `fail2ban.log` was saying nothing about my issue, but your second point was the solution. I've edited my question with the working solution of my problem. Thanks! – Yohan W. Dunon Jun 24 '21 at 21:04
  • 1
    @dunon wrong way, please remove the Solution and ANSWER your question by your self or tell Sebres to do it for you to let him get some points - else the question will be unansered FOREVER! – djdomi Jun 25 '21 at 04:55
  • @djdomi my bad, I've seen the button "Answer Your Question" so I thought I can simply edit my question and let it open for others. This way they can still share their point of view or working solutions. Plus you can still copy-paste the solution as an answer if you think it's the wrong way. – – Yohan W. Dunon Jun 25 '21 at 10:18

2 Answers2

3

As @sebres point in his comment,

  1. I guess specifying application=$(app) as parameter for action is not correct, you have to either use real application (known by ufw) or remove it / set it to an empty value

the solution was to remove this part :

[application=$(app), blocktype=reject]

after banaction = ufw in config jail.

Now ufw block all the undesirable IP addresses.

Here is the kicker:

[app-custom]
enabled = true
maxretry = 1
journalmatch =
backend = polling
logpath = %(log_path)s
findtime = 120
bantime = -1
banaction = ufw

I hope this will help.

Yohan W. Dunon
  • 163
  • 1
  • 1
  • 10
1

I have been suffering the same problem . Your code acutally worked for me adding

banaction = ufw[application=$(app), blocktype=reject]

so my final jail.local is like so

...
[apache-auth]
enabled  = true
port = http, https
logpath  = /var/log/apache2/error.log
banaction   = ufw[application=$(app), blocktype=reject]
bantime = 100h
maxretry = 2
ignoreip = 192.168.0.101
ignoreself = true
...
Engin Yilmaz
  • 111
  • 3