UFW deny from <ip address>

box · October 11, 2017, 9:59am

I am looking at number of logs
tail -f /var/log/mail.log
tail -f /var/log/nginx/access.log

What other log should I be checking?

and I see the more or less the same IP addresses populating my log files trying various attempts to gain access …

Would it make as sense (if not please, please let me know why) for the community to collate such IP addresses and BAN them completely from accessing our boxes with firewall rules like “UFW deny from ip_address”?

Maybe have another branch on github collecting offending IP would be good idea?

murgero · October 11, 2017, 4:06pm

fail2ban should already attempt to block them (if it is configured to read those logs) @JoshData would know for sure.

murgero · October 11, 2017, 4:07pm

Adding the ip address manually to iptables for blocking shouldn’t affect anything tho so long as you know that MIAB/fail2ban/ufw would overwrite it during a reboot:

iptables -A INPUT 1 -s IP-ADDRESS -j DROP

where IP-ADDRESS = the IP in the log

box · October 14, 2017, 7:24pm

Well Fail2Ban will but only for couple of hours and then you will see those IP’s in the log again …

What would be the way to make the changes permanent (after reboots)?

murgero · October 14, 2017, 8:02pm

putting the iptables command in your rc.local file at the bottom just above the exit 0; line.

system · December 11, 2017, 9:59am

This topic was automatically closed after 61 days. New replies are no longer allowed.