Update #9 - Syncthing UFW Log Monitoring with Active Fail2Ban Enforcement

Date: May 10, 2025
Category: Security / Monitoring
Backlink: Update #8 – Syncthing Systemd Recovery After Upgrade

 Overview

This update extendsstrengthens the security posture of Syncthing on the VPS by combining UFW logging with active Fail2Ban enforcement. In addition to passively monitoring IPs attempting to access hardeningSyncthing processports by(8384, implementing22000, intrusion21027), loggingwe now automatically ban repeat offenders, reducing risk and banningexposure withfrom Fail2Ban.persistent Theprobing.

goal

A iscustom Fail2Ban filter and jail were added to monitordetect and block repeatedmalicious unauthorizedIPs attemptsbased on UFW blocks. Link-local IPv6 traffic (fe80::/10) is ignored to accessavoid restrictedfalse Syncthing services (Web GUI and sync ports) that are protected by IP-restricted UFW rules.positives.

 What Was DoneGoals

• UFW Logging Confirmed
  Logging was already enabled in UFW to trackDetect blocked traffic.access Theattempts logson appearSyncthing inports /var/log/ufw.logvia and contain [UFW BLOCK] entries.UFW.

• CustomBan Fail2Banrepeated Filteroffenders Added
  Createdautomatically using Fail2Ban.

• Maintain a newsummarized filterview of access attempts for visibility.

Files and Configuration

UFW Log Summary Script

Stored at: ~/syncthing-log-summary.sh

#!/bin/bash

# Syncthing ports of interest
PORTS="8384|22000|21027"

# Log file
LOGFILE="/var/log/ufw.log"

# Output summary
echo "Top IPs attempting to access Syncthing ports (8384, 22000, 21027):"
echo "---------------------------------------------------------------"

# Extract and count IPs, excluding fe80::/10 (IPv6 link-local)
sudo grep "UFW BLOCK" "$LOGFILE" | \
grep -E "DPT=($PORTS)" | \
grep -v "SRC=fe80:" | \
grep -oP 'SRC=\K\S+' | \
sort | uniq -c | sort -rn | head -20

Fail2Ban Filter: /etc/fail2ban/filter.d/ufw-block.conf to match blocked connection attempts on Syncthing-related ports (8384, 22000, 21027). This uses a regex to extract the source IP from kernel messages.

New Jail Configured
The ufw-block jail was added to /etc/fail2ban/jail.local, configured to:

• Watch /var/log/ufw.log

• Use the new filter

• Ban any IP that hits the block threshold (default: 5 attempts in 10 minutes)

• Ban duration: 12 hours

Verification
Log entries such as the following confirm the jail is correctly identifying and responding to blocked IPs:

[UFW BLOCK] IN=eth0 OUT= MAC= SRC=162.142.125.133 DST=<VPS_IP> PROTO=TCP SPT=43714 DPT=22000 ...

Filter File: /etc/fail2ban/filter.d/ufw-block.conf

[Definition]
failregex = \[UFW BLOCK\].* SRC=<HOST> .* DPT=(8384|22000|21027)
ignoreregex = SRC=fe80::

Fail2Ban Jail Config:Configuration: /etc/fail2ban/jail.local

[ufw-block]
enabled = true
filter = ufw-block
action = iptables[name=UFW-Blocked, port=all, protocol=all]
logpath = /var/log/ufw.log
maxretry = 53
findtime = 600
bantime = 43200
action

=

iptables[name=UFW-BLOCK,

This port=all,jail protocol=all]looks for repeated blocks on Syncthing ports and bans IPs for 12 hours after 3 failed attempts within 10 minutes.

 Monitoring

Run this command at any time to review the top offending IPs:

bash ~/syncthing-log-summary.sh

To review currently banned IPs by this jail:

sudo fail2ban-client status ufw-block

To unban an IP (example):

sudo fail2ban-client set ufw-block unbanip 192.0.2.1

Log ManagementStatus

• LogUFW rotationlogging isconfirmed managed via /etc/logrotate.d/ufw on a weekly basis.active.

• Old logs are automatically purged after 4 rotations to prevent disk space issues.

Outcome

• Any IP repeatedly attempting to connect to restricted Syncthing ports isprotected nowbehind automaticallydynamic banned.DDNS-controlled rules.

• ThisFail2Ban improvesjail thebanning securityrepeat postureoffenders.

  of
the
• system

  Link-local byIPv6 combiningtraffic dynamicexcluded UFWto rulesreduce (via DDNS) with active intrusion response from Fail2Ban.noise.