Hi,
I noticed on our company http server that I had a lot of 'probes'. My
logwatch file (text-mode) is 3+MB and rising. I have thousands of
entries in my logwatch reports:
A total of 5711 sites probed the server
1.152.198.116
1.22.185.5
1.23.105.130
1.38.24.232
1.38.25.24
1.39.95.219
1.53.101.185
101.108.239.43
...
...
...
I'm not sure what the above probes are. Any help in understanding the
above would be appreciated.
I also have several entries like this:
A total of 4 possible successful probes were detected (the following
URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
/images/?option=com_sectionex&controller=../../../../../../../../../../.
./../..//proc/self/environ%0000 HTTP Response 200
/?
I believe these are php exploits.
To help secure the server, I installed UFW, enabled and allowed HTTP,
HTTPS and SSH. I then monitored the logs to see what was happening. What
I am not clear on is what service the log entries below refer to.
Dec 20 13:10:35 myserver kernel: [4808284.769172] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=194.27.44.2 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=109
ID=10243 DF PROTO=TCP SPT=6565 DPT=80 WINDOW=4320 RES=0x00 ACK FIN
URGP=0
Dec 20 13:11:01 myserver kernel: [4808311.356089] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=151.96.254.4 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=55
ID=44116 PROTO=TCP SPT=58842 DPT=80 WINDOW=1032 RES=0x00 ACK RST
URGP=0
I am getting an entry like this every 20-30 seconds. Can anyone tell me
what service/port is being blocked in the above log entries?
Below are the rules at the moment.
Thanks in advance,
Dermot
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source
destination
29164 1620981 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */
5151 299728 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 80,443 /* 'dapp_Apache%20Full'
*/
3 180 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */
0 0 REJECT all -- * * 220.162.244.251
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.115.199.40
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 93.84.116.216
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.10.204.194
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 221.232.155.6
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 122.255.96.164
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 77.240.21.131
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 83.170.79.6
0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source
destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source
destination
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4
prefix `[UFW LIMIT BLOCK] '
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
