Use UFW logs as a tripwire - penguinpowernz/scanban GitHub Wiki

If you use the UFW firewall you will probably find block events in either one of two logs. Using these lines you can detect attempted access to normally vulnerable ports as tripwires to inform on malicious actor and pre-emptively block them.

files = [
  "/var/log/ufw.log",
  "/var/log/kern.log"
]

[rules](/penguinpowernz/scanban/wiki/rules)
patterns = [
  "IN=\\w+ .*DPT=23", # telnet
  "IN=\\w+ .*DPT=123", # NTP
]
ip_regex = " SRC=(\\d+\\.\\d+\\.\\d+\\.\\d+) "