~/Managing Abuse IP Blocking with UFW

Mar 15, 2021

The Uncomplicated Firewall (UFW) is an interface to iptables designed to make firewall management easier. When managing server security, blocking abusive IP addresses is important to prevent unauthorized access and DoS attacks.

Install UFW

Install UFW on Debian or Ubuntu with:

1
2

sudo apt update
sudo apt install ufw

Enable UFW:

1

sudo ufw enable

Check status:

1

sudo ufw status verbose

Block an Abuse IP

To block a specific IP address:

1

sudo ufw deny from 203.0.113.50

To block an IP range:

1

sudo ufw deny from 203.0.113.0/24

Remove a rule:

1

sudo ufw delete deny from 203.0.113.50

Automating Abuse List Blocking

Fetch and block IPs from AbuseIPDB or Spamhaus DROP. Example script:

1
2
3

for ip in $(curl -s https://www.spamhaus.org/drop/drop.txt | grep -v ^; | awk '{print $1}'); do
  sudo ufw deny from $ip
done

Analyze nginx access logs or fail2ban logs to identify suspicious IPs.

List UFW Rules

Display all active rules:

1

sudo ufw status numbered

Logging and Monitoring

Enable logging:

1

sudo ufw logging on

View logs in /var/log/ufw.log for monitoring blocked attempts. Reference UFW logging documentation.

Integrating with fail2ban

fail2ban can ban IPs based on suspicious patterns. Combine it with UFW to block brute force attempts.

Configure fail2ban jail with UFW as the action:

1
2

[DEFAULT]
banaction = ufw

Caveats and Best Practices

• Regularly update abuse IP lists. See public blocklists.
• Avoid blocking legitimate IP ranges unintentionally.
• Document manual blocks for audit purposes.
• Perform periodic review.
• Use rate limiting for HTTP services to reduce abuse impact.