# Fail2Ban action configuration file for ufw # # You are required to run "ufw enable" before this will have any effect. # # The insert position should be appropriate to block the required traffic. # A number after an allow rule to the application won't be of much use. [Definition] actionstart = actionstop = actioncheck = # ufw does "quickly process packets for which we already have a connection" in before.rules, # therefore all related sockets should be closed # actionban is using `ss` to do so, this only handles IPv4 and IPv6. actionban = if [ -n "" ] && ufw app info "" then ufw from to app "" comment "" else ufw from to comment "" fi actionunban = if [ -n "" ] && ufw app info "" then ufw delete from to app "" else ufw delete from to fi # Option: kill-mode # Notes.: can be set to ss or conntrack (may be extended later with other modes) to immediately drop all connections from banned IP, default empty (no kill) # Example: banaction = ufw[kill-mode=ss] kill-mode = # intern conditional parameter used to provide killing mode after ban: _kill_ = _kill_ss = ss -K dst "[]" _kill_conntrack = conntrack -D -s "" # Option: kill # Notes.: can be used to specify custom killing feature, by default depending on option kill-mode # Examples: banaction = ufw[kill='ss -K "( sport = :http || sport = :https )" dst "[]"'] # banaction = ufw[kill='cutter ""'] kill = <_kill_> [Init] # Option: add # Notes.: can be set to "insert 1" to insert a rule at certain position (here 1): add = prepend # Option: blocktype # Notes.: reject or deny blocktype = reject # Option: destination # Notes.: The destination address to block in the ufw rule destination = any # Option: application # Notes.: application from sudo ufw app list application = # Option: comment # Notes.: comment for rule added by fail2ban comment = by Fail2Ban after attempts against # DEV NOTES: # # Author: Guilhem Lettron # Enhancements: Daniel Black