From e4e7a83cffb4fb5cbb35c204795fba45c8f40c61 Mon Sep 17 00:00:00 2001 From: usernamepi <53445688+usernamepi@users.noreply.github.com> Date: Thu, 6 May 2021 13:44:36 +0200 Subject: [PATCH 1/4] Update ufw.conf Prerequisites: * The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY. * Ufw version is => 0.36 (released in 2018) * Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses. * Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532 * Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open. Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option. My system apparently is compiled that way. --- config/action.d/ufw.conf | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf index d2f731f2..b47fa7e7 100644 --- a/config/action.d/ufw.conf +++ b/config/action.d/ufw.conf @@ -13,17 +13,26 @@ actionstop = actioncheck = -actionban = [ -n "" ] && app="app " - ufw insert from to $app - -actionunban = [ -n "" ] && app="app " - ufw delete from to $app +# ufw does "quickly process packets for which we already have a connection" in before.rules, +# therefore all related sockets should be closed +# actionban is using `ss` to do so, this only handles IPv4 and IPv6. + +actionban = if [ -n "" ] && ufw app info "" + then + ufw prepend from to app "" comment "" + else + ufw prepend from to comment "" + fi + ss -K dst [] + +actionunban = if [ -n "" ] && ufw app info "" + then + ufw delete from to app "" + else + ufw delete from to + fi [Init] -# Option: insertpos -# Notes.: The position number in the firewall list to insert the block rule -insertpos = 1 - # Option: blocktype # Notes.: reject or deny blocktype = reject From 5debaa4cac2723fa863ede9ed32c19cc82c71786 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 6 May 2021 20:23:58 +0200 Subject: [PATCH 2/4] option "add", can be set to "insert " instead of prepend (customization or backwards compat) --- config/action.d/ufw.conf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf index b47fa7e7..bf06fe67 100644 --- a/config/action.d/ufw.conf +++ b/config/action.d/ufw.conf @@ -19,9 +19,9 @@ actioncheck = actionban = if [ -n "" ] && ufw app info "" then - ufw prepend from to app "" comment "" + ufw from to app "" comment "" else - ufw prepend from to comment "" + ufw from to comment "" fi ss -K dst [] @@ -33,6 +33,10 @@ actionunban = if [ -n "" ] && ufw app info "" fi [Init] +# Option: add +# Notes.: can be set to "insert 1" to insert a rule at certain position (here 1): +add = prepend + # Option: blocktype # Notes.: reject or deny blocktype = reject From 8f6a8df3a45395620e434fd15b4ede694a1d00aa Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 6 May 2021 21:47:06 +0200 Subject: [PATCH 3/4] added new options `kill-mode` and `kill`, which makes the drop of all connections optional --- config/action.d/ufw.conf | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/config/action.d/ufw.conf b/config/action.d/ufw.conf index bf06fe67..cf8c22be 100644 --- a/config/action.d/ufw.conf +++ b/config/action.d/ufw.conf @@ -23,7 +23,7 @@ actionban = if [ -n "" ] && ufw app info "" else ufw from to comment "" fi - ss -K dst [] + actionunban = if [ -n "" ] && ufw app info "" then @@ -32,6 +32,21 @@ actionunban = if [ -n "" ] && ufw app info "" ufw delete from to fi +# Option: kill-mode +# Notes.: can be set to ss (may be extended later with other modes) to immediately drop all connections from banned IP, default empty (no kill) +# Example: banaction = ufw[kill-mode=ss] +kill-mode = + +# intern conditional parameter used to provide killing mode after ban: +_kill_ = +_kill_ss = ss -K dst "[]" + +# Option: kill +# Notes.: can be used to specify custom killing feature, by default depending on option kill-mode +# Examples: banaction = ufw[kill='ss -K "( sport = :http || sport = :https )" dst "[]"'] + banaction = ufw[kill='cutter ""'] +kill = <_kill_> + [Init] # Option: add # Notes.: can be set to "insert 1" to insert a rule at certain position (here 1): From 2958ad8636e9b3082c49537d7a56ae3b8cf12012 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 6 May 2021 22:19:38 +0200 Subject: [PATCH 4/4] Update ChangeLog --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4b0733d7..175d087a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition ### Fixes * readline fixed to consider interim new-line character as part of code point in multi-byte logs (e. g. unicode encoding like utf-16be, utf-16le); +* `action.d/ufw.conf`: + - fixed handling on IPv6 (using prepend, gh-2331, gh-3018) + - application names containing spaces can be used now (gh-656, gh-1532, gh-3018) * `filter.d/drupal-auth.conf` more strict regex, extended to match "Login attempt failed from" (gh-2742) ### New Features and Enhancements @@ -29,6 +32,9 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition * better recognition of log rotation, better performance by reopen: avoid unnecessary seek to begin of file (and hash calculation) * file filter reads only complete lines (ended with new-line) now, so waits for end of line (for its completion) +* `action.d/ufw.conf` (gh-3018): + - new option `add` (default `prepend`), can be supplied as `insert 1` for ufw versions before v.0.36 (gh-2331, gh-3018) + - new options `kill-mode` and `kill` to drop established connections of intruder (see action for details, gh-3018) * `filter.d/nginx-http-auth.conf` - extended with parameter mode, so additionally to `auth` (or `normal`) mode `fallback` (or combined as `aggressive`) can find SSL errors while SSL handshaking, gh-2881