UFW Parser

Parse and analyze UFW (Uncomplicated Firewall) logs for security monitoring

ChainTools

Overview

UFW Parser is a specialized tool designed to parse, analyze, and visualize UFW (Uncomplicated Firewall) logs. It helps system administrators and security professionals gain insights into network traffic patterns, identify potential security threats, and monitor firewall activity with ease.

The Uncomplicated Firewall (UFW) is a popular frontend for iptables widely used in Linux environments, particularly for securing server deployments including blockchain validator nodes. While UFW simplifies firewall management, analyzing its logs can be challenging due to their verbose nature and format.

This tool addresses that challenge by parsing UFW logs into structured data that can be easily filtered, searched, and analyzed. It's particularly useful for blockchain validators who need to monitor network traffic and ensure their nodes are properly secured against unauthorized access attempts.

Key Features

  • Comprehensive Log Parsing - Convert raw UFW logs into structured, easily analyzable data.
  • Multiple Output Formats - Generate reports in various formats including text, CSV, and JSON.
  • Advanced Filtering - Filter logs by source/destination IP, port, action, protocol, and more.
  • Statistical Analysis - Generate statistics on connection attempts, blocked traffic, and allowed connections.
  • IP Geolocation - Optional integration with IP geolocation databases to identify traffic sources.
  • Time-based Analysis - Analyze traffic patterns over time with built-in time filtering capabilities.
  • Security Alerting - Identify potentially malicious traffic patterns and repeated access attempts.

Installation

UFW Parser can be installed directly from GitHub:

git clone https://github.com/qf3l3k/ufw_parser
cd ufw_parser
pip install -r requirements.txt

Requirements

  • Python 3.6 or higher
  • UFW (Uncomplicated Firewall) configured on the system
  • Access to UFW log files (typically in /var/log/ufw.log)
  • Python packages: pandas, matplotlib (for visualization features)

Usage

Basic usage involves pointing the tool at your UFW log file:

# Basic usage with default log location
python ufw_parser.py

# Specify a custom log file
python ufw_parser.py --log-file /path/to/ufw.log

# Generate a summary report
python ufw_parser.py --summary

# Export results to CSV
python ufw_parser.py --output-csv firewall_activity.csv

Sample Output

===== UFW Parser Report =====

Analysis of /var/log/ufw.log from 2025-05-01 to 2025-05-02

Total log entries: 1,253
Blocked connections: 1,142 (91.1%)
Allowed connections: 111 (8.9%)

Top 5 blocked source IPs:
1. 203.0.113.42 - 286 attempts - [China]
2. 198.51.100.17 - 142 attempts - [Russia]
3. 192.0.2.89 - 98 attempts - [Brazil]
4. 203.0.113.105 - 76 attempts - [United States]
5. 198.51.100.201 - 54 attempts - [Netherlands]

Top 5 targeted ports:
1. 22 (SSH) - 534 attempts
2. 26656 (Tendermint P2P) - 231 attempts
3. 26657 (Tendermint RPC) - 187 attempts
4. 80 (HTTP) - 121 attempts
5. 443 (HTTPS) - 89 attempts

===== End of Report =====

Advanced Usage

UFW Parser offers several advanced features for detailed analysis:

Filtering by Port or IP

You can filter log entries by various criteria such as IP addresses, ports, or time ranges:

# Filter by source IP
python ufw_parser.py --src-ip 203.0.113.42

# Filter by destination port
python ufw_parser.py --dst-port 22

# Filter by time range
python ufw_parser.py --start-time "2025-05-01 08:00:00" --end-time "2025-05-01 17:00:00"

# Combine multiple filters
python ufw_parser.py --action BLOCK --proto TCP --dst-port 26656

JSON Output

Export the parsed data to JSON format for integration with other tools or further processing:

# Export to JSON
python ufw_parser.py --output-json firewall_analysis.json

# Sample JSON output structure:
{
  "entries": [
    {
      "timestamp": "2025-05-01T12:34:56.000Z",
      "action": "BLOCK",
      "src_ip": "203.0.113.42",
      "src_port": 47402,
      "dst_ip": "192.168.1.5",
      "dst_port": 26656,
      "protocol": "TCP",
      "country": "China",
      "interface": "eth0"
    },
    // More entries...
  ],
  "summary": {
    "total_entries": 1253,
    "blocked_count": 1142,
    "allowed_count": 111,
    // More summary stats...
  }
}

Security Audit Example

UFW Parser can be integrated into security auditing workflows to identify potential firewall misconfigurations:

Identifying Unnecessary Open Ports

#!/bin/bash

# Generate port usage report
echo "Generating port usage report..."
python ufw_parser.py --output-json /tmp/ufw_analysis.json

# Compare with expected open ports
expected_ports=(22 26656 26657 9090)
detected_ports=$(jq -r '.summary.allowed_ports | keys[]' /tmp/ufw_analysis.json)

echo "\nUnexpected open ports:"
for port in $detected_ports; do
  if [[ ! " ${expected_ports[@]} " =~ " ${port} " ]]; then
    echo "WARNING: Port $port is open but not in the expected list"
    echo "Details:"
    python ufw_parser.py --dst-port $port --action ALLOW
  fi
done

Regular Firewall Review Script

Example bash script for scheduled firewall reviews:

#!/bin/bash

# Weekly firewall review script
# Add to crontab: 0 9 * * 1 /path/to/firewall_review.sh

LOG_DIR="/var/log"
REPORT_DIR="/home/admin/security_reports"
DATE=$(date +%Y-%m-%d)

# Create weekly directory
mkdir -p "$REPORT_DIR/$DATE"

# Generate basic report
python /path/to/ufw_parser.py --log-file "$LOG_DIR/ufw.log" --output-txt "$REPORT_DIR/$DATE/weekly_summary.txt" --summary

# Generate detailed report of blocked traffic
python /path/to/ufw_parser.py --log-file "$LOG_DIR/ufw.log" --action BLOCK --output-csv "$REPORT_DIR/$DATE/blocked_traffic.csv"

# Check for repeated access attempts (potential attacks)
python /path/to/ufw_parser.py --log-file "$LOG_DIR/ufw.log" --threshold 50 --output-json "$REPORT_DIR/$DATE/potential_attacks.json"

# Email the reports
if [ -f "$REPORT_DIR/$DATE/potential_attacks.json" ]; then
  # Check if potential attacks were detected
  ATTACK_COUNT=$(jq '.summary.potential_attacks' "$REPORT_DIR/$DATE/potential_attacks.json")
  if [ "$ATTACK_COUNT" -gt 0 ]; then
    echo "Potential attack patterns detected. See attached reports." | mail -s "URGENT: Firewall Security Review $DATE" -a "$REPORT_DIR/$DATE/weekly_summary.txt" -a "$REPORT_DIR/$DATE/potential_attacks.json" admin@example.com
  else
    echo "Weekly firewall review completed. See attached report." | mail -s "Firewall Security Review $DATE" -a "$REPORT_DIR/$DATE/weekly_summary.txt" admin@example.com
  fi
fi

Related Resources