Will running both fail2ban and ufw cause problems? I noticed that fail2ban modifies iptables rules, but ufw already has a ton of iptables rules defined... so I'm not sure if fail2ban will mess these up.
You can use ufw and fail2b together, but as indicated earlier, the order of (ufw) rules is what is important.
Out of the box, fail2ban uses iptables and inserts rules first in the INPUT chain. This will not do any harm or conflict with ufw.
If you wish to fully integrate fail2ban to use ufw (rather then iptables). You will need to edit a number of files including
/etc/fail2ban/jail.local
jail.local is where you define your services , including what port they are listening on (think changing ssh to a non-default port) and what action to take.
**Please note*: Never ever edit jail.conf, your changes should be made in jail.local! That file begins with this:
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory
Using ssh as an example, note the definition of a non-default port as well =)
[ssh]
enabled = true
banaction = ufw-ssh
port = 2992
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
You then configure fail2ban to use ufw in (one .conf file for each service)
/etc/fail2ban/action.d/ufw-ssh.conf
The syntax is
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app OpenSSH
actionunban = ufw delete deny from <ip> to any app OpenSSH
Note: You configure fail2ban to use ufw and to insert new rules FIRST using the "insert 1" syntax. The delete will find the rule regardless of order.
There is a nice blog post that goes into more detail here
http://blog.vigilcode.com/2011/05/ufw-with-fail2ban-quick-secure-setup-part-ii/
[EDIT] For ubuntu 16.04+
by default a "defaults-debian.conf" in /etc/fail2ban/jail.d with content
[sshd]
enabled = true
will activated a the ssh protection of fail2ban.
You need to put it at false.
Then create a jail.local like you would do in general, mine would be like this:
[ssh-with-ufw]
enabled = true
port = 22
filter = sshd
action = ufw[application="OpenSSH", blocktype=reject]
logpath = /var/log/auth.log
maxretry = 3
There is already a ufw.conf in the fail2ban default installation so no need to create one.
The only specific change for you jail.local would be at action line where you need to put the application concerned for the protection and what you want to get as result.
ufw tend to detect automatically a certain amount of app running using the network. To have the list just type sudo ufw app list. It's case-sensitive.
reload fail2ban and you'll no longer see the fail2ban chain and if any IP get a block you'll see it in sudo ufw status
