AutoFW

This tool is inspired by fail2ban, but is simpler and less forgiving. You provide it with a list of whitelisted and blacklisted IP addresses and ranges, and its output is a list of command to blacklist slightly larger IP ranges covering multiple IP addresses.

It assumes UFW for now.

Examples

• For a.b.c.0 and a.b.c.1 you will get a block on a.b.c.0/31.
• For a.b.c.0 and a.b.c.255 you will get a block on a.b.c.0/24.
• For a.b.c.x and a.b.d.y you will get a block on a.b.0.0/16, if there are at least 4 blacklisted IP addresses in the a.b.0.0 block.

Building

On Ubuntu:

• apt-get install -y cmake libpcre2-dev
• cmake .
• make

Usage

Initially, create a file autofw.whitelist, containing IP addresses and ranges that should always be allowed to connect.

Create a script that performs the tasks below. This can be run by cron.

1. Collect all IP addresses and ranges to block into a new file, say autofw.badips. It may be a good idea to filter out entries in the whitelist.
2. Run ufw insert 1 deny from $ip for each entry in autofw.badips. The ufw tool will automatically ignore duplicates.
3. Collect all blacklisted addresses using the following command: ufw status verbose | grep DENY | awk '{print $4}' > autofw.blacklist
4. Run ./autofw > ufw.updates.
5. Run the ufw.updates script.

To block machines trying to attack your SMTP server sending invalid commands, you can use a command such as the one below. Then simply add additional commands as needed.

cat /var/log/mail.log |
	grep 'non-SMTP command' |
	awk '{print $8}' |
	tr '[]' ' ' |
	awk '{print $2}' >> autofw.badips