RE: UFW logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> 
> Hello Dermot,
> 
> as far as I can see, HTTP is blocked (DPT=80).
> 
> Why are you using UFW. You've got a DMZ?
> 
> 
> Regards Marcel

Well I really hope that port 80 is open! I have not heard any complaints 
from users and I can still connect.

The command I ran was `ufw allow "Apache Full"`. This should have 
enabled the profile for Apache that is stored in 
/etc/ufw/applications.d/apache2.2-common. 

I am using UFW because I wanted to reject connections from those hosts 
that I could find in the httpd logs that were attempt to run the php 
exploits, I mentioned. There is a firewall in front of the server. The 
rules for the firewall allow all traffic to port 80 but it's not 
directly under my control. I thought that UFW would give me finer 
control over what hosts could connection.

Are you saying that the log entries I mentioned are for connections to 
port 80? Out of 300 log entries, 288 refer to DPT=80. 

I thought this rule would allow traffic to port 80:

ACCEPT tcp  --  *   *   0.0.0.0/0  0.0.0.0/0   multiport dports 80,443 
/* 'dapp_Apache%20Full'

Is it possible that these log entries refer to blocks to port 80 for 
some other reason, incomplete packets perhaps?

Thanks,
Dermot.


Here are a few more log entries.:

Dec 20 15:16:50 spl-live-04 kernel: [4815860.546796] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54
ID=5744 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
URGP=0
Dec 20 15:17:10 spl-live-04 kernel: [4815880.590616] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54
ID=12876 PROTO=TCP SPT=38735 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
URGP=0
Dec 20 15:17:30 spl-live-04 kernel: [4815900.544664] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54
ID=42844 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
URGP=0
Dec 20 15:17:52 spl-live-04 kernel: [4815921.978254] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=46.103.144.234 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54
ID=49496 DF PROTO=TCP SPT=49793 DPT=80 WINDOW=65535 RES=0x00 ACK RST
URGP=0
Dec 20 15:18:11 spl-live-04 kernel: [4815940.856559] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=167.21.254.12 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=50
ID=22633 PROTO=TCP SPT=56527 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
URGP=0
Dec 20 15:18:31 spl-live-04 kernel: [4815961.228775] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=194.209.88.151 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=49
ID=36073 PROTO=TCP SPT=59930 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
URGP=0
Dec 20 15:18:50 spl-live-04 kernel: [4815980.576344] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=145.36.235.4 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=53
ID=45980 PROTO=TCP SPT=27691 DPT=80 WINDOW=1032 RES=0x00 ACK FIN
URGP=0
Dec 20 15:19:11 spl-live-04 kernel: [4816001.276032] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=82.137.200.53 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=47
ID=36569 PROTO=TCP SPT=62544 DPT=80 WINDOW=1032 RES=0x00 ACK FIN
URGP=0
Dec 20 15:19:31 spl-live-04 kernel: [4816021.003750] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=34.254.119.222 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=58
ID=34212 PROTO=TCP SPT=53102 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
URGP=0






> > -----Original Message-----
> > From: linux-admin-owner@xxxxxxxxxxxxxxx [mailto:linux-admin-
> > owner@xxxxxxxxxxxxxxx] On Behalf Of Dermot Paikkos
> > Sent: Tuesday, December 20, 2011 3:03 PM
> > To: linux-admin@xxxxxxxxxxxxxxx
> > Subject: UFW logging
> >
> > Hi,
> >
> > I noticed on our company http server that I had a lot of 'probes'. 
My
> > logwatch file (text-mode) is 3+MB and rising. I have thousands of
> > entries in my logwatch reports:
> >
> > A total of 5711 sites probed the server
> >     1.152.198.116
> >     1.22.185.5
> >     1.23.105.130
> >     1.38.24.232
> >     1.38.25.24
> >     1.39.95.219
> >     1.53.101.185
> >     101.108.239.43
> > ...
> > ...
> > ...
> >
> > I'm not sure what the above probes are. Any help in understanding 
the
> > above would be appreciated.
> >
> > I also have several entries like this:
> >
> > A total of 4 possible successful probes were detected (the following
> > URLs
> >  contain strings that match one or more of a listing of strings that
> >  indicate a possible exploit):
> >
> >
> >
> 
/images/?option=com_sectionex&controller=../../../../../../../../../../
> .
> > ./../..//proc/self/environ%0000 HTTP Response 200
> >     /?
> >
> > I believe these are php exploits.
> >
> > To help secure the server, I installed UFW, enabled and allowed 
HTTP,
> > HTTPS and SSH. I then monitored the logs to see what was happening.
> What
> > I am not clear on is what service the log entries below refer to.
> >
> >
> > Dec 20 13:10:35 myserver kernel: [4808284.769172] [UFW BLOCK]
> > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> > SRC=194.27.44.2 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=109
> > ID=10243 DF PROTO=TCP SPT=6565 DPT=80 WINDOW=4320 RES=0x00 ACK
> > FIN
> > URGP=0
> > Dec 20 13:11:01 myserver kernel: [4808311.356089] [UFW BLOCK]
> > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> > SRC=151.96.254.4 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=55
> > ID=44116 PROTO=TCP SPT=58842 DPT=80 WINDOW=1032 RES=0x00 ACK RST
> > URGP=0
> >
> > I am getting an entry like this every 20-30 seconds. Can anyone tell
> me
> > what service/port is being blocked in the above log entries?
> >
> > Below are the rules at the moment.
> > Thanks in advance,
> > Dermot
> >
> > Chain ufw-user-input (1 references)
> >     pkts      bytes target     prot opt in     out     source
> >      destination
> >    29164  1620981 ACCEPT     tcp  --  *      *       0.0.0.0/0
> >    0.0.0.0/0           tcp dpt:80 /* 'dapp_Apache' */
> >     5151   299728 ACCEPT     tcp  --  *      *       0.0.0.0/0
> >    0.0.0.0/0           multiport dports 80,443 /*
> 'dapp_Apache%20Full'
> > */
> >        3      180 ACCEPT     tcp  --  *      *       0.0.0.0/0
> >    0.0.0.0/0           tcp dpt:22 /* 'dapp_OpenSSH' */
> >        0        0 REJECT     all  --  *      *       220.162.244.251
> >    0.0.0.0/0           reject-with icmp-port-unreachable
> >        0        0 REJECT     all  --  *      *       217.115.199.40
> >    0.0.0.0/0           reject-with icmp-port-unreachable
> >        0        0 REJECT     all  --  *      *       93.84.116.216
> >    0.0.0.0/0           reject-with icmp-port-unreachable
> >        0        0 REJECT     all  --  *      *       85.10.204.194
> >    0.0.0.0/0           reject-with icmp-port-unreachable
> >        0        0 REJECT     all  --  *      *       221.232.155.6
> >    0.0.0.0/0           reject-with icmp-port-unreachable
> >        0        0 REJECT     all  --  *      *       122.255.96.164
> >    0.0.0.0/0           reject-with icmp-port-unreachable
> >        0        0 REJECT     all  --  *      *       77.240.21.131
> >    0.0.0.0/0           reject-with icmp-port-unreachable
> >        0        0 REJECT     all  --  *      *       83.170.79.6
> >    0.0.0.0/0           reject-with icmp-port-unreachable
> >
> > Chain ufw-user-forward (1 references)
> >     pkts      bytes target     prot opt in     out     source
> >      destination
> >
> > Chain ufw-user-output (1 references)
> >     pkts      bytes target     prot opt in     out     source
> >      destination
> >
> > Chain ufw-user-limit-accept (0 references)
> >     pkts      bytes target     prot opt in     out     source
> >      destination
> >        0        0 ACCEPT     all  --  *      *       0.0.0.0/0
> >    0.0.0.0/0
> >
> > Chain ufw-user-limit (0 references)
> >     pkts      bytes target     prot opt in     out     source
> >      destination
> >        0        0 LOG        all  --  *      *       0.0.0.0/0
> >    0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 4
> > prefix `[UFW LIMIT BLOCK] '
> >        0        0 REJECT     all  --  *      *       0.0.0.0/0
> >    0.0.0.0/0           reject-with icmp-port-unreachable
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-
> admin" in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin"
> in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux