Skip to main content

Update #9 - Intrusion Logging with UFW and Fail2Ban Integration

Date: May 10, 2025
Category: Security / Monitoring
Backlink: Update #8 – Syncthing Systemd Recovery After Upgrade

 Overview

This update extends the Syncthing access hardening process by implementing intrusion logging and banning with Fail2Ban. The goal is to monitor and block repeated unauthorized attempts to access restricted Syncthing services (Web GUI and sync ports) that are protected by IP-restricted UFW rules.

 What Was Done

  1. UFW Logging Confirmed
    Logging was already enabled in UFW to track blocked traffic. The logs appear in /var/log/ufw.log and contain [UFW BLOCK] entries.

  2. Custom Fail2Ban Filter Added
    Created a new filter file /etc/fail2ban/filter.d/ufw-block.conf to match blocked connection attempts on Syncthing-related ports (8384, 22000, 21027). This uses a regex to extract the source IP from kernel messages.

  3. New Jail Configured
    The ufw-block jail was added to /etc/fail2ban/jail.local, configured to:

    • Watch /var/log/ufw.log

    • Use the new filter

    • Ban any IP that hits the block threshold (default: 5 attempts in 10 minutes)

    • Ban duration: 12 hours

  4. Verification
    Log entries such as the following confirm the jail is correctly identifying and responding to blocked IPs:

    [UFW BLOCK] IN=eth0 OUT= MAC= SRC=162.142.125.133 DST=<VPS_IP> PROTO=TCP SPT=43714 DPT=22000 ...

Filter File: /etc/fail2ban/filter.d/ufw-block.conf

[Definition]
failregex = \[UFW BLOCK\].* SRC=<HOST> .* DPT=(8384|22000|21027)
ignoreregex =

Jail Config: /etc/fail2ban/jail.local

[ufw-block]
enabled = true
filter = ufw-block
logpath = /var/log/ufw.log
maxretry = 5
findtime = 600
bantime = 43200
action = iptables[name=UFW-BLOCK, port=all, protocol=all]

Log Management

  • Log rotation is managed via /etc/logrotate.d/ufw on a weekly basis.

  • Old logs are automatically purged after 4 rotations to prevent disk space issues.

Outcome

  • Any IP repeatedly attempting to connect to restricted Syncthing ports is now automatically banned.

  • This improves the security posture of the system by combining dynamic UFW rules (via DDNS) with active intrusion response from Fail2Ban.


Back to top