I inserted a rule into UFW to block an IP and the logs show that they are ALLOWED in the logs. I’m not sure UFW is working. I’m puzzled UFW shows a blocked IP is allowed in. Is UFW blocking?

You will need iftop. If using Ubuntu 24.04 or 22. than just do a apt install iftop

UFW has a weird way of logging and in my opinion, in-spite of the name, the logging is confusing and makes it dam hard to monitor threats.

One thing I notice with UFW, is in their logs, after blocking an IP or range of IP’s using 0/24 that the logs continue show or display ALLOW DPT=XXXX. You scratch head wondering is the firewall UFW working. Logs show ALLOW for the IP xxx.xxx.xxx.xxx. I blocked the IP and UFW (uncomplicated firewall) logs continue to show ALLOW to the blocked IP.

When you understand the way UFW logging works, when UFW displays ALLOW it just means that in the firewall rules you have set for example: ufw allow 80,443/tcp. So UFW is telling you that the IP, even though blocked and is trying to access a port you opened such as 80 or 443. What UFW should say in the logs is BLOCkED denied IP to ALLOWED port xxxx] when logging enabled. Hey, what ever.

What you need to do when blocking an IP to an open port (allow) and want UFW to log that IP attempts to gain access to the open (allowed) port is use the following command:
ufw insert 1 deny log from 80.94.95.239 comment “BAD person” Note the word “log”. Now, when the blocked IP tries to access the allowed port you will see in the logs UFW BLOCK that IP address.

Using the above method instructs UFW to display in the logs UFW BLOCK. It’s a great way to assist while debugging to look for suspicious activity.

More examples of having UFW “log” a BLOCK in the logs for IP addresses attempting access to ports you have opened for web or mail server .

ufw insert 1 deny log from 80.94.95.239 comment “Annoying bot”
ufw insert 1 reject log from 80.94.95.239 comment “BAD person”
ufw insert 1 deny log from 80.94.95.0/24 comment “Lots of bad bots”
ufw insert 1 deny log from 80.94.95.239

Always use the insert 1 rule… That places them above your allowed ports such as http, https, smtp 80, 443, 22, 25 and so on. You can use any number in the “insert”, as long as it is number lower than the ports you want to block an IP from. For example, if port 443 is at position 75 on the firewall list and you want to block an IP from https than insert 74 would place that block rule above https and successfully block it. But, that’s not a good idea, you’re leaving yourself exposed to human error, hence, best using insert 1. Saves time and reduces the likely hood of error.

For more peace of mind, to assure yourself you have indeed blocked the bad IP address you can use iftop (IFTOP). If using Ubuntu and don’t have iftop installed just: apt install iftop. iftop is an excellent peace of software for Linux systems. It monitors traffic inbound and outbound to all IP addresses connected to your server and what port the connection is on.

IFTOP displays all connections to your server showing both inbound and outbound traffic and you have options to have iftop, display source and destination ports. When iftop shows data coming in and no data going out it means that source IP address is either blocked by the firewall or they are connecting to a port that is either closed or not monitored by any software on your server. You can even filter what ports IFTOP displays.

For example, if you just want to monitor SSH traffic press “l” (lowercase L) than type ssh followed by enter, and iftop just displays connections to port 22. If you have SSH on another port than instead of entering “ssh” enter the port number you use for SSH.

After blocking an IP address with your firewall (UFW) open iftop and monitor that IP addresses outbound traffic. You will notice over 40 seconds it will begin to display 0 for outbound. Don’t be overly concerned seeing inbound. It just means the bot or human hasn’t figured out you blocked it. The inbound traffic means it’s trying to communicate with your server. Apache web server for example or mail or SSH. The fact no traffic is going out means the communications sent by the blocked IP address is not being received by your web server, Apache for example. UFW, your firewall is doing the job for you and protecting your server by blocking that IP address.

I currently have a pesty Brazilian hacker coming into my site on port 443 (https) from multiple IP addresses. He pounds my server around 3,000 hits per hour for several hours a day. It soon became clear this is no ordinary person. I believe the attack is coming from the Brazliian government, private organisation or organised crime syndicate. The reason I wonder this is, the attack comes from 10s of thousands of Brazilian servers. Quite a claim for me to make but, Brazil is a poor country and an individual could not possibly own over 10’s of thousands of servers. Unless he or she is a very smart hacker taking control of them. Or he’s quite stupid. Or, what is his interest in my server? Why is it so important he break in. The perseverance is so strong and mind blowing. He comes in daily with 1024 different IP addresses, when blocked, the following day another 1024 servers. It’s like he owns Brazil!

This has been going on since December 6th 2024 and, today, January 6th 2025 the desperation become more desperate with him this past 24 hours, or the organisation. After I block the 1024 servers, he comes in again a couple of hours later with another 1024 servers. During the past 24 he has come in from over 8,000 servers. It’s like this dude is very desperate and seemingly deep pockets of cash or, has control of Brazil. What the hell is on my server that could be of interest? This server he attacks is nothing more than a mail server. No secrets on there, no customer user database, nothing of value to anyone except me.

I have 3 servers, they are attacking one, the mail server. Unknown to them, their IP addresses are instantly sent to the other 2 servers to add to the firewall block list. It appears for now, this server of mine is now more than a mail server, it’s now harvesting the IP addresses of the Brazilian attackers and sharing that data with my other servers.

He or the organisation are so bad, special software was written to auto detect within seconds the attack and auto block.

These are the steps to follow before you block an IP or IP range with UFW (uncomplicated firewall) and if you follow these steps it will give you peace of mind.

In my example we are going to first monitor port 443 (https) to see if Apache is responding to the pesty retard from Brazil.

1. run iftop
2. press “p” which displays PORTS accessed on your server
3. press “l” (lowercase L)
4. type in http than (enter) this filters and display access to port 443 (https) only
5. You will see the pesty dim wit attacking or probing the port https
6. Monitor the “outgoing traffic” on the IP, not the incoming traffic
7. You will see Apache is responding with data going out which means not blocked by UFW
8. This means, that the IP is allowed and Apache responds as one expects.
9. Now press n that will display their IP address not dns name as some hide IP by showing IP like 123-123-123-123.somebraindead.br and your fooled thinking the 123 is their IP.
10. copy the IP address from iftop
11. press ctl c to exit iftop
12. now type:
13. ufw insert 1 deny from xxx.xxx.xxx.xxx comment “Pesty Brazilian”
14. now go back into iftop
15. while monitoring iftop you will see that there is NO outbound traffic to the blocked IP address
16. This means UFW has indeed blocked that IP address even though in the UFW logs it will show ALLOW DPT=443 to the blocked IP. Remember, I mentioned earlier, if you want UFW to log an IP is being blocked you must use the command including the log in the rule. ufw insert 1 deny log from xxx.xxx.xxx.xxx comment “BOT or Individual hacker” OR ufw insert 1 deny log from xxx.xxx.xxx.0/24 comment “BOT or Individual hacker” to block 256 in one go.

You would do the same with your mail server or SSH server when you are unsure if UFW is actually blocking. Using iftop with UFW will help you monitor the activity. iftop will confirm by displaying, no data out than UFW is working, or if data going out, something is wrong, UFW not working or the block rule you have UFW is incorrect or not inserted to the top of the list. Remember step 3 above and you press “l” lowercase L and typed http well if you had a pest on port 22 or ssh you would type ssh or 22.

Keep in mind, don’t trust all of the data you see in UFW logs. Your best friend is iftop which tells you IF and WHAT traffic is coming IN or OUT from your server and to WHO what remote IP address.

My advice is use DENY in UFW and not REJECT. From experience, I find when you DENY which is “silence is golden” the pesty IP goes away and when you use REJECT they continue to pound your server like a randy dog. Using DENY, your server gives no response at all when the come. Think of it this way.

“DENY” When someone knocks at the door of your home and you keep very quiet and don’t respond and wait for them to go away… They have no idea whether you are home or not. That’s what DENY is on a UFW firewall. They have no idea whether there is a server there or not…… Unless your server responds to a PING request 😉

“REJECT” When someone comes to your home knocking and you scream out “Go away you moron!” or yell, they know you are there! If you REJECT with UFW the pesty moron hacker is 100% sure there is a server there and will keep on returning.

UFW creators, great firewall but the logs are pretty weak. I’m being polite! Try showing in logs for example port 80 open (allowed) and BLOCKED banned IP. Easy as spreading butter on bread!

Written by Jeff, AKA pirate ms Bonny!