The lines containing " ... [UFW BLOCK] ...PROTO=TCP SPT=56527 DPT=80 " definitively refer to HTTP, for me. May be it's the best to inform your security team about your problems. They got better wappons then ufw. ;) The source IPs are changing quickly, so it's not possible to set a connection limit per host. Have you set a connection limit for your websites? Regards Marcel > -----Original Message----- > From: linux-admin-owner@xxxxxxxxxxxxxxx [mailto:linux-admin- > owner@xxxxxxxxxxxxxxx] On Behalf Of Dermot Paikkos > Sent: Tuesday, December 20, 2011 4:30 PM > To: linux-admin@xxxxxxxxxxxxxxx > Subject: RE: UFW logging > > > -----Original Message----- > > > > Hello Dermot, > > > > as far as I can see, HTTP is blocked (DPT=80). > > > > Why are you using UFW. You've got a DMZ? > > > > > > Regards Marcel > > Well I really hope that port 80 is open! I have not heard any complaints > from users and I can still connect. > > The command I ran was `ufw allow "Apache Full"`. This should have > enabled the profile for Apache that is stored in > /etc/ufw/applications.d/apache2.2-common. > > I am using UFW because I wanted to reject connections from those hosts > that I could find in the httpd logs that were attempt to run the php > exploits, I mentioned. There is a firewall in front of the server. The > rules for the firewall allow all traffic to port 80 but it's not > directly under my control. I thought that UFW would give me finer > control over what hosts could connection. > > Are you saying that the log entries I mentioned are for connections to > port 80? Out of 300 log entries, 288 refer to DPT=80. > > I thought this rule would allow traffic to port 80: > > ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 > /* 'dapp_Apache%20Full' > > Is it possible that these log entries refer to blocks to port 80 for > some other reason, incomplete packets perhaps? > > Thanks, > Dermot. > > > Here are a few more log entries.: > > Dec 20 15:16:50 spl-live-04 kernel: [4815860.546796] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 > ID=5744 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > URGP=0 > Dec 20 15:17:10 spl-live-04 kernel: [4815880.590616] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 > ID=12876 PROTO=TCP SPT=38735 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > URGP=0 > Dec 20 15:17:30 spl-live-04 kernel: [4815900.544664] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 > ID=42844 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > URGP=0 > Dec 20 15:17:52 spl-live-04 kernel: [4815921.978254] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=46.103.144.234 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 > ID=49496 DF PROTO=TCP SPT=49793 DPT=80 WINDOW=65535 RES=0x00 ACK > RST > URGP=0 > Dec 20 15:18:11 spl-live-04 kernel: [4815940.856559] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=167.21.254.12 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=50 > ID=22633 PROTO=TCP SPT=56527 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > URGP=0 > Dec 20 15:18:31 spl-live-04 kernel: [4815961.228775] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=194.209.88.151 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 > ID=36073 PROTO=TCP SPT=59930 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > URGP=0 > Dec 20 15:18:50 spl-live-04 kernel: [4815980.576344] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=145.36.235.4 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=53 > ID=45980 PROTO=TCP SPT=27691 DPT=80 WINDOW=1032 RES=0x00 ACK FIN > URGP=0 > Dec 20 15:19:11 spl-live-04 kernel: [4816001.276032] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=82.137.200.53 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=47 > ID=36569 PROTO=TCP SPT=62544 DPT=80 WINDOW=1032 RES=0x00 ACK FIN > URGP=0 > Dec 20 15:19:31 spl-live-04 kernel: [4816021.003750] [UFW BLOCK] > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > SRC=34.254.119.222 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=58 > ID=34212 PROTO=TCP SPT=53102 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > URGP=0 > > > > > > > > > -----Original Message----- > > > From: linux-admin-owner@xxxxxxxxxxxxxxx [mailto:linux-admin- > > > owner@xxxxxxxxxxxxxxx] On Behalf Of Dermot Paikkos > > > Sent: Tuesday, December 20, 2011 3:03 PM > > > To: linux-admin@xxxxxxxxxxxxxxx > > > Subject: UFW logging > > > > > > Hi, > > > > > > I noticed on our company http server that I had a lot of 'probes'. > My > > > logwatch file (text-mode) is 3+MB and rising. I have thousands of > > > entries in my logwatch reports: > > > > > > A total of 5711 sites probed the server > > > 1.152.198.116 > > > 1.22.185.5 > > > 1.23.105.130 > > > 1.38.24.232 > > > 1.38.25.24 > > > 1.39.95.219 > > > 1.53.101.185 > > > 101.108.239.43 > > > ... > > > ... > > > ... > > > > > > I'm not sure what the above probes are. Any help in understanding > the > > > above would be appreciated. > > > > > > I also have several entries like this: > > > > > > A total of 4 possible successful probes were detected (the following > > > URLs > > > contain strings that match one or more of a listing of strings that > > > indicate a possible exploit): > > > > > > > > > > > > /images/?option=com_sectionex&controller=../../../../../../../../../../ > > . > > > ./../..//proc/self/environ%0000 HTTP Response 200 > > > /? > > > > > > I believe these are php exploits. > > > > > > To help secure the server, I installed UFW, enabled and allowed > HTTP, > > > HTTPS and SSH. I then monitored the logs to see what was happening. > > What > > > I am not clear on is what service the log entries below refer to. > > > > > > > > > Dec 20 13:10:35 myserver kernel: [4808284.769172] [UFW BLOCK] > > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > > SRC=194.27.44.2 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=109 > > > ID=10243 DF PROTO=TCP SPT=6565 DPT=80 WINDOW=4320 RES=0x00 > ACK > > > FIN > > > URGP=0 > > > Dec 20 13:11:01 myserver kernel: [4808311.356089] [UFW BLOCK] > > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > > SRC=151.96.254.4 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=55 > > > ID=44116 PROTO=TCP SPT=58842 DPT=80 WINDOW=1032 RES=0x00 ACK > RST > > > URGP=0 > > > > > > I am getting an entry like this every 20-30 seconds. Can anyone tell > > me > > > what service/port is being blocked in the above log entries? > > > > > > Below are the rules at the moment. > > > Thanks in advance, > > > Dermot > > > > > > Chain ufw-user-input (1 references) > > > pkts bytes target prot opt in out source > > > destination > > > 29164 1620981 ACCEPT tcp -- * * 0.0.0.0/0 > > > 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ > > > 5151 299728 ACCEPT tcp -- * * 0.0.0.0/0 > > > 0.0.0.0/0 multiport dports 80,443 /* > > 'dapp_Apache%20Full' > > > */ > > > 3 180 ACCEPT tcp -- * * 0.0.0.0/0 > > > 0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */ > > > 0 0 REJECT all -- * * 220.162.244.251 > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > 0 0 REJECT all -- * * 217.115.199.40 > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > 0 0 REJECT all -- * * 93.84.116.216 > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > 0 0 REJECT all -- * * 85.10.204.194 > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > 0 0 REJECT all -- * * 221.232.155.6 > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > 0 0 REJECT all -- * * 122.255.96.164 > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > 0 0 REJECT all -- * * 77.240.21.131 > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > 0 0 REJECT all -- * * 83.170.79.6 > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > > > Chain ufw-user-forward (1 references) > > > pkts bytes target prot opt in out source > > > destination > > > > > > Chain ufw-user-output (1 references) > > > pkts bytes target prot opt in out source > > > destination > > > > > > Chain ufw-user-limit-accept (0 references) > > > pkts bytes target prot opt in out source > > > destination > > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > > > 0.0.0.0/0 > > > > > > Chain ufw-user-limit (0 references) > > > pkts bytes target prot opt in out source > > > destination > > > 0 0 LOG all -- * * 0.0.0.0/0 > > > 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 > > > prefix `[UFW LIMIT BLOCK] ' > > > 0 0 REJECT all -- * * 0.0.0.0/0 > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > -- > > > To unsubscribe from this list: send the line "unsubscribe linux- > > admin" in > > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-admin" > > in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
