RE: UFW logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The  lines containing " ... [UFW BLOCK] ...PROTO=TCP SPT=56527 DPT=80 " definitively refer to HTTP, for me. 

May be it's the best to inform your security team about your problems. They got better wappons then ufw. ;)
The source IPs are changing quickly, so it's not possible to set a connection limit per host.
Have you set a connection limit for your websites?


Regards Marcel

> -----Original Message-----
> From: linux-admin-owner@xxxxxxxxxxxxxxx [mailto:linux-admin-
> owner@xxxxxxxxxxxxxxx] On Behalf Of Dermot Paikkos
> Sent: Tuesday, December 20, 2011 4:30 PM
> To: linux-admin@xxxxxxxxxxxxxxx
> Subject: RE: UFW logging
> 
> > -----Original Message-----
> >
> > Hello Dermot,
> >
> > as far as I can see, HTTP is blocked (DPT=80).
> >
> > Why are you using UFW. You've got a DMZ?
> >
> >
> > Regards Marcel
> 
> Well I really hope that port 80 is open! I have not heard any complaints
> from users and I can still connect.
> 
> The command I ran was `ufw allow "Apache Full"`. This should have
> enabled the profile for Apache that is stored in
> /etc/ufw/applications.d/apache2.2-common.
> 
> I am using UFW because I wanted to reject connections from those hosts
> that I could find in the httpd logs that were attempt to run the php
> exploits, I mentioned. There is a firewall in front of the server. The
> rules for the firewall allow all traffic to port 80 but it's not
> directly under my control. I thought that UFW would give me finer
> control over what hosts could connection.
> 
> Are you saying that the log entries I mentioned are for connections to
> port 80? Out of 300 log entries, 288 refer to DPT=80.
> 
> I thought this rule would allow traffic to port 80:
> 
> ACCEPT tcp  --  *   *   0.0.0.0/0  0.0.0.0/0   multiport dports 80,443
> /* 'dapp_Apache%20Full'
> 
> Is it possible that these log entries refer to blocks to port 80 for
> some other reason, incomplete packets perhaps?
> 
> Thanks,
> Dermot.
> 
> 
> Here are a few more log entries.:
> 
> Dec 20 15:16:50 spl-live-04 kernel: [4815860.546796] [UFW BLOCK]
> IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54
> ID=5744 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
> URGP=0
> Dec 20 15:17:10 spl-live-04 kernel: [4815880.590616] [UFW BLOCK]
> IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54
> ID=12876 PROTO=TCP SPT=38735 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
> URGP=0
> Dec 20 15:17:30 spl-live-04 kernel: [4815900.544664] [UFW BLOCK]
> IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54
> ID=42844 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
> URGP=0
> Dec 20 15:17:52 spl-live-04 kernel: [4815921.978254] [UFW BLOCK]
> IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> SRC=46.103.144.234 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54
> ID=49496 DF PROTO=TCP SPT=49793 DPT=80 WINDOW=65535 RES=0x00 ACK
> RST
> URGP=0
> Dec 20 15:18:11 spl-live-04 kernel: [4815940.856559] [UFW BLOCK]
> IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> SRC=167.21.254.12 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=50
> ID=22633 PROTO=TCP SPT=56527 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
> URGP=0
> Dec 20 15:18:31 spl-live-04 kernel: [4815961.228775] [UFW BLOCK]
> IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> SRC=194.209.88.151 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=49
> ID=36073 PROTO=TCP SPT=59930 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
> URGP=0
> Dec 20 15:18:50 spl-live-04 kernel: [4815980.576344] [UFW BLOCK]
> IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> SRC=145.36.235.4 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=53
> ID=45980 PROTO=TCP SPT=27691 DPT=80 WINDOW=1032 RES=0x00 ACK FIN
> URGP=0
> Dec 20 15:19:11 spl-live-04 kernel: [4816001.276032] [UFW BLOCK]
> IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> SRC=82.137.200.53 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=47
> ID=36569 PROTO=TCP SPT=62544 DPT=80 WINDOW=1032 RES=0x00 ACK FIN
> URGP=0
> Dec 20 15:19:31 spl-live-04 kernel: [4816021.003750] [UFW BLOCK]
> IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> SRC=34.254.119.222 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=58
> ID=34212 PROTO=TCP SPT=53102 DPT=80 WINDOW=65535 RES=0x00 ACK FIN
> URGP=0
> 
> 
> 
> 
> 
> 
> > > -----Original Message-----
> > > From: linux-admin-owner@xxxxxxxxxxxxxxx [mailto:linux-admin-
> > > owner@xxxxxxxxxxxxxxx] On Behalf Of Dermot Paikkos
> > > Sent: Tuesday, December 20, 2011 3:03 PM
> > > To: linux-admin@xxxxxxxxxxxxxxx
> > > Subject: UFW logging
> > >
> > > Hi,
> > >
> > > I noticed on our company http server that I had a lot of 'probes'.
> My
> > > logwatch file (text-mode) is 3+MB and rising. I have thousands of
> > > entries in my logwatch reports:
> > >
> > > A total of 5711 sites probed the server
> > >     1.152.198.116
> > >     1.22.185.5
> > >     1.23.105.130
> > >     1.38.24.232
> > >     1.38.25.24
> > >     1.39.95.219
> > >     1.53.101.185
> > >     101.108.239.43
> > > ...
> > > ...
> > > ...
> > >
> > > I'm not sure what the above probes are. Any help in understanding
> the
> > > above would be appreciated.
> > >
> > > I also have several entries like this:
> > >
> > > A total of 4 possible successful probes were detected (the following
> > > URLs
> > >  contain strings that match one or more of a listing of strings that
> > >  indicate a possible exploit):
> > >
> > >
> > >
> >
> /images/?option=com_sectionex&controller=../../../../../../../../../../
> > .
> > > ./../..//proc/self/environ%0000 HTTP Response 200
> > >     /?
> > >
> > > I believe these are php exploits.
> > >
> > > To help secure the server, I installed UFW, enabled and allowed
> HTTP,
> > > HTTPS and SSH. I then monitored the logs to see what was happening.
> > What
> > > I am not clear on is what service the log entries below refer to.
> > >
> > >
> > > Dec 20 13:10:35 myserver kernel: [4808284.769172] [UFW BLOCK]
> > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> > > SRC=194.27.44.2 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=109
> > > ID=10243 DF PROTO=TCP SPT=6565 DPT=80 WINDOW=4320 RES=0x00
> ACK
> > > FIN
> > > URGP=0
> > > Dec 20 13:11:01 myserver kernel: [4808311.356089] [UFW BLOCK]
> > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
> > > SRC=151.96.254.4 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=55
> > > ID=44116 PROTO=TCP SPT=58842 DPT=80 WINDOW=1032 RES=0x00 ACK
> RST
> > > URGP=0
> > >
> > > I am getting an entry like this every 20-30 seconds. Can anyone tell
> > me
> > > what service/port is being blocked in the above log entries?
> > >
> > > Below are the rules at the moment.
> > > Thanks in advance,
> > > Dermot
> > >
> > > Chain ufw-user-input (1 references)
> > >     pkts      bytes target     prot opt in     out     source
> > >      destination
> > >    29164  1620981 ACCEPT     tcp  --  *      *       0.0.0.0/0
> > >    0.0.0.0/0           tcp dpt:80 /* 'dapp_Apache' */
> > >     5151   299728 ACCEPT     tcp  --  *      *       0.0.0.0/0
> > >    0.0.0.0/0           multiport dports 80,443 /*
> > 'dapp_Apache%20Full'
> > > */
> > >        3      180 ACCEPT     tcp  --  *      *       0.0.0.0/0
> > >    0.0.0.0/0           tcp dpt:22 /* 'dapp_OpenSSH' */
> > >        0        0 REJECT     all  --  *      *       220.162.244.251
> > >    0.0.0.0/0           reject-with icmp-port-unreachable
> > >        0        0 REJECT     all  --  *      *       217.115.199.40
> > >    0.0.0.0/0           reject-with icmp-port-unreachable
> > >        0        0 REJECT     all  --  *      *       93.84.116.216
> > >    0.0.0.0/0           reject-with icmp-port-unreachable
> > >        0        0 REJECT     all  --  *      *       85.10.204.194
> > >    0.0.0.0/0           reject-with icmp-port-unreachable
> > >        0        0 REJECT     all  --  *      *       221.232.155.6
> > >    0.0.0.0/0           reject-with icmp-port-unreachable
> > >        0        0 REJECT     all  --  *      *       122.255.96.164
> > >    0.0.0.0/0           reject-with icmp-port-unreachable
> > >        0        0 REJECT     all  --  *      *       77.240.21.131
> > >    0.0.0.0/0           reject-with icmp-port-unreachable
> > >        0        0 REJECT     all  --  *      *       83.170.79.6
> > >    0.0.0.0/0           reject-with icmp-port-unreachable
> > >
> > > Chain ufw-user-forward (1 references)
> > >     pkts      bytes target     prot opt in     out     source
> > >      destination
> > >
> > > Chain ufw-user-output (1 references)
> > >     pkts      bytes target     prot opt in     out     source
> > >      destination
> > >
> > > Chain ufw-user-limit-accept (0 references)
> > >     pkts      bytes target     prot opt in     out     source
> > >      destination
> > >        0        0 ACCEPT     all  --  *      *       0.0.0.0/0
> > >    0.0.0.0/0
> > >
> > > Chain ufw-user-limit (0 references)
> > >     pkts      bytes target     prot opt in     out     source
> > >      destination
> > >        0        0 LOG        all  --  *      *       0.0.0.0/0
> > >    0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 4
> > > prefix `[UFW LIMIT BLOCK] '
> > >        0        0 REJECT     all  --  *      *       0.0.0.0/0
> > >    0.0.0.0/0           reject-with icmp-port-unreachable
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe linux-
> > admin" in
> > > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-admin"
> > in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux