daniel/autofw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
10 commits 1 branch 0 tags 70 KiB
Find a file
Daniel Brahneborg 77e26ef721 README: example
2025-12-04 17:18:06 +01:00
.gitignore more files 2025-12-04 15:52:13 +01:00
autofw.c more files 2025-12-04 15:52:13 +01:00
CMakeLists.txt compiles 2025-12-04 16:53:41 +01:00
LICENSE LICENSE 2025-12-04 15:36:37 +01:00
matcher.c matcher_match: disable output 2025-12-04 16:55:52 +01:00
matcher.h compiles 2025-12-04 16:53:41 +01:00
pbuf.c compiles 2025-12-04 16:53:41 +01:00
pbuf.h compiles 2025-12-04 16:53:41 +01:00
README.md README: example 2025-12-04 17:18:06 +01:00
vbuf.c compiles 2025-12-04 16:53:41 +01:00
vbuf.h compiles 2025-12-04 16:53:41 +01:00

README.md

AutoFW

This tool is inspired by fail2ban, but is simpler and less forgiving. You provide it with a list of whitelisted and blacklisted IP addresses and ranges, and its output is a list of command to blacklist slightly larger IP ranges covering multiple IP addresses.

It assumes UFW for now.

Examples

  • For a.b.c.0 and a.b.c.1 you will get a block on a.b.c.0/31.
  • For a.b.c.0 and a.b.c.255 you will get a block on a.b.c.0/24.
  • For a.b.c.x and a.b.d.y you will get a block on a.b.0.0/16, if there are at least 4 blacklisted IP addresses in the a.b.0.0 block.

Building

First install some build tools. On Ubuntu you will run something like this:

  • apt-get install -y cmake libpcre2-dev make gcc

We use CMake.

  • cmake .
  • make

Usage

Initially, create a file autofw.whitelist, containing IP addresses and ranges that should always be allowed to connect.

Create a script that performs the tasks below. This can be run by cron.

  1. Collect all IP addresses and ranges to block into a new file, say autofw.badips. It may be a good idea to filter out entries in the whitelist.
  2. Run ufw insert 1 deny from $ip for each entry in autofw.badips. The ufw tool will automatically ignore duplicates.
  3. Collect all blacklisted addresses using the following command: ufw status verbose | grep DENY | awk '{print $4}' > autofw.blacklist
  4. Run ./autofw > ufw.updates.
  5. Run the ufw.updates script.

To block machines trying to attack your SMTP server sending invalid commands, you can use a command such as the one below. Then simply add additional commands as needed.

cat /var/log/mail.log |
	grep 'non-SMTP command' |
	awk '{print $8}' |
	tr '[]' ' ' |
	awk '{print $2}' >> autofw.badips

The output is a list of UFW commands. Here we assume we have blocked a.b.c.115 and a.b.c.116, and whitelisted e.f.g.h. The reason we first delete the rule for e.f.g.h and then add it back, is to make sure it comes first. This way whitelisted addresses can never be blocked.

yes | ufw delete deny from a.b.c.115/32
yes | ufw delete deny from a.b.c.116/32
ufw insert 1 deny from a.b.c.112/29
yes | ufw delete allow from e.f.g.h/32
yes | ufw insert 1 allow from e.f.g.h/32