Hello Dermot, as far as I can see, HTTP is blocked (DPT=80). Why are you using UFW. You've got a DMZ? Regards Marcel > -----Original Message----- > From: linux-admin-owner@xxxxxxxxxxxxxxx [mailto:linux-admin- > owner@xxxxxxxxxxxxxxx] On Behalf Of Dermot Paikkos > Sent: Tuesday, December 20, 2011 3:03 PM > To: linux-admin@xxxxxxxxxxxxxxx > Subject: UFW logging > > Hi, > > I noticed on our company http server that I had a lot of 'probes'. My > logwatch file (text-mode) is 3+MB and rising. I have thousands of > entries in my logwatch reports: > > A total of 5711 sites probed the server > 1.152.198.116 > 1.22.185.5 > 1.23.105.130 > 1.38.24.232 > 1.38.25.24 > 1.39.95.219 > 1.53.101.185 > 101.108.239.43 > ... > ... > ... > > I'm not sure what the above probes are. Any help in understanding the > above would be appreciated. > > I also have several entries like this: > > A total of 4 possible successful probes were detected (the following > URLs > contain strings that match one or more of a listing of strings that > indicate a possible exploit): > > > /images/?option=com_sectionex&controller=../../../../../../../../../../. > ./../..//proc/self/environ%0000 HTTP Response 200 > /? > > I believe these are php exploits. > > To help secure the server, I installed UFW, enabled and allowed HTTP, > HTTPS and SSH. I then monitored the logs to see what was happening. What > I am not clear on is what service the log entries below refer to. > > > Dec 20 13:10:35 myserver kernel: [4808284.769172] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=194.27.44.2 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=109 > ID=10243 DF PROTO=TCP SPT=6565 DPT=80 WINDOW=4320 RES=0x00 ACK > FIN > URGP=0 > Dec 20 13:11:01 myserver kernel: [4808311.356089] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=151.96.254.4 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=55 > ID=44116 PROTO=TCP SPT=58842 DPT=80 WINDOW=1032 RES=0x00 ACK RST > URGP=0 > > I am getting an entry like this every 20-30 seconds. Can anyone tell me > what service/port is being blocked in the above log entries? > > Below are the rules at the moment. > Thanks in advance, > Dermot > > Chain ufw-user-input (1 references) > pkts bytes target prot opt in out source > destination > 29164 1620981 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ > 5151 299728 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 multiport dports 80,443 /* 'dapp_Apache%20Full' > */ > 3 180 ACCEPT tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */ > 0 0 REJECT all -- * * 220.162.244.251 > 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT all -- * * 217.115.199.40 > 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT all -- * * 93.84.116.216 > 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT all -- * * 85.10.204.194 > 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT all -- * * 221.232.155.6 > 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT all -- * * 122.255.96.164 > 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT all -- * * 77.240.21.131 > 0.0.0.0/0 reject-with icmp-port-unreachable > 0 0 REJECT all -- * * 83.170.79.6 > 0.0.0.0/0 reject-with icmp-port-unreachable > > Chain ufw-user-forward (1 references) > pkts bytes target prot opt in out source > destination > > Chain ufw-user-output (1 references) > pkts bytes target prot opt in out source > destination > > Chain ufw-user-limit-accept (0 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain ufw-user-limit (0 references) > pkts bytes target prot opt in out source > destination > 0 0 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 > prefix `[UFW LIMIT BLOCK] ' > 0 0 REJECT all -- * * 0.0.0.0/0 > 0.0.0.0/0 reject-with icmp-port-unreachable > -- > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
