When I first initialized my ufw, I did
ufw default allow outgoing
ufw default deny incoming
ufw allow 80/tcp
ufw allow 22/tcp
Over the last week or so, I've been going through my access logs and banning IPs that are making malicious requests on my server
I'd do so using
ufw deny from <ip>
Here's my ufw status verbose
All the IPs pasted here are from sick-filth spammers; take no pity on them
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
80/tcp ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
Anywhere DENY IN 125.39.22.154
Anywhere DENY IN 222.124.200.250
Anywhere DENY IN 101.60.178.197
Anywhere DENY IN 115.184.115.200
Anywhere DENY IN 93.174.93.129
... more ips ...
80/tcp (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
Question
What I'm noticing is that the ALLOW actions are before the DENY actions.
Does the order of the rules actually matter? Or can I rest peacefully knowing that my IP block has worked?
Side question: Is there a more effective way to handle spammy requests than manually greping access/error logs for malicious requests and blocking those IPs from making future requests?
Best Answer
Yes it does. Denies should be first in this case since they are more specific (more specific rules should go first). Example
fail2ban can scan logs, and add IPs to many types of filtering systems that match defined patterns.