Well if there is a security team, then I am it :) Yes the IP does change. The MAC address is consistent but I am guessing that this refers to eth0 on the server. I am not sure what sort of connection limit you mean. One that is set on the httpd server on somewhere else? This rule 'should' allow port 80 and 443 through though! ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 /* 'dapp_Apache%20Full' so I don't know why the are log entries that say port 80 is blocked. Like I said, I have not heard from anyone that they cannot connect to the site either. Perhaps I should increase the log level in case that gives me more details. Dp. > -----Original Message----- > From: Marcel Galke - Trans4mation [mailto:Marcel.Galke@xxxxxxxxxxxxxxx] > Sent: 20 December 2011 15:42 > To: linux-admin@xxxxxxxxxxxxxxx > Subject: RE: UFW logging > > The lines containing " ... [UFW BLOCK] ...PROTO=TCP SPT=56527 DPT=80 " > definitively refer to HTTP, for me. > > May be it's the best to inform your security team about your problems. > They got better wappons then ufw. ;) > The source IPs are changing quickly, so it's not possible to set a > connection limit per host. > Have you set a connection limit for your websites? > > > Regards Marcel > > > -----Original Message----- > > From: linux-admin-owner@xxxxxxxxxxxxxxx [mailto:linux-admin- > > owner@xxxxxxxxxxxxxxx] On Behalf Of Dermot Paikkos > > Sent: Tuesday, December 20, 2011 4:30 PM > > To: linux-admin@xxxxxxxxxxxxxxx > > Subject: RE: UFW logging > > > > > -----Original Message----- > > > > > > Hello Dermot, > > > > > > as far as I can see, HTTP is blocked (DPT=80). > > > > > > Why are you using UFW. You've got a DMZ? > > > > > > > > > Regards Marcel > > > > Well I really hope that port 80 is open! I have not heard any > complaints > > from users and I can still connect. > > > > The command I ran was `ufw allow "Apache Full"`. This should have > > enabled the profile for Apache that is stored in > > /etc/ufw/applications.d/apache2.2-common. > > > > I am using UFW because I wanted to reject connections from those > hosts > > that I could find in the httpd logs that were attempt to run the php > > exploits, I mentioned. There is a firewall in front of the server. > The > > rules for the firewall allow all traffic to port 80 but it's not > > directly under my control. I thought that UFW would give me finer > > control over what hosts could connection. > > > > Are you saying that the log entries I mentioned are for connections > to > > port 80? Out of 300 log entries, 288 refer to DPT=80. > > > > I thought this rule would allow traffic to port 80: > > > > ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports > 80,443 > > /* 'dapp_Apache%20Full' > > > > Is it possible that these log entries refer to blocks to port 80 for > > some other reason, incomplete packets perhaps? > > > > Thanks, > > Dermot. > > > > > > Here are a few more log entries.: > > > > Dec 20 15:16:50 spl-live-04 kernel: [4815860.546796] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 > > ID=5744 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > > URGP=0 > > Dec 20 15:17:10 spl-live-04 kernel: [4815880.590616] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 > > ID=12876 PROTO=TCP SPT=38735 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > > URGP=0 > > Dec 20 15:17:30 spl-live-04 kernel: [4815900.544664] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=148.134.37.3 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 > > ID=42844 PROTO=TCP SPT=35936 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > > URGP=0 > > Dec 20 15:17:52 spl-live-04 kernel: [4815921.978254] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=46.103.144.234 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=54 > > ID=49496 DF PROTO=TCP SPT=49793 DPT=80 WINDOW=65535 RES=0x00 ACK > > RST > > URGP=0 > > Dec 20 15:18:11 spl-live-04 kernel: [4815940.856559] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=167.21.254.12 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=50 > > ID=22633 PROTO=TCP SPT=56527 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > > URGP=0 > > Dec 20 15:18:31 spl-live-04 kernel: [4815961.228775] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=194.209.88.151 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=49 > > ID=36073 PROTO=TCP SPT=59930 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > > URGP=0 > > Dec 20 15:18:50 spl-live-04 kernel: [4815980.576344] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=145.36.235.4 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=53 > > ID=45980 PROTO=TCP SPT=27691 DPT=80 WINDOW=1032 RES=0x00 ACK FIN > > URGP=0 > > Dec 20 15:19:11 spl-live-04 kernel: [4816001.276032] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=82.137.200.53 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=47 > > ID=36569 PROTO=TCP SPT=62544 DPT=80 WINDOW=1032 RES=0x00 ACK FIN > > URGP=0 > > Dec 20 15:19:31 spl-live-04 kernel: [4816021.003750] [UFW BLOCK] > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > SRC=34.254.119.222 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=58 > > ID=34212 PROTO=TCP SPT=53102 DPT=80 WINDOW=65535 RES=0x00 ACK FIN > > URGP=0 > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: linux-admin-owner@xxxxxxxxxxxxxxx [mailto:linux-admin- > > > > owner@xxxxxxxxxxxxxxx] On Behalf Of Dermot Paikkos > > > > Sent: Tuesday, December 20, 2011 3:03 PM > > > > To: linux-admin@xxxxxxxxxxxxxxx > > > > Subject: UFW logging > > > > > > > > Hi, > > > > > > > > I noticed on our company http server that I had a lot of > 'probes'. > > My > > > > logwatch file (text-mode) is 3+MB and rising. I have thousands of > > > > entries in my logwatch reports: > > > > > > > > A total of 5711 sites probed the server > > > > 1.152.198.116 > > > > 1.22.185.5 > > > > 1.23.105.130 > > > > 1.38.24.232 > > > > 1.38.25.24 > > > > 1.39.95.219 > > > > 1.53.101.185 > > > > 101.108.239.43 > > > > ... > > > > ... > > > > ... > > > > > > > > I'm not sure what the above probes are. Any help in understanding > > the > > > > above would be appreciated. > > > > > > > > I also have several entries like this: > > > > > > > > A total of 4 possible successful probes were detected (the > following > > > > URLs > > > > contain strings that match one or more of a listing of strings > that > > > > indicate a possible exploit): > > > > > > > > > > > > > > > > > > /images/?option=com_sectionex&controller=../../../../../../../../../../ > > > . > > > > ./../..//proc/self/environ%0000 HTTP Response 200 > > > > /? > > > > > > > > I believe these are php exploits. > > > > > > > > To help secure the server, I installed UFW, enabled and allowed > > HTTP, > > > > HTTPS and SSH. I then monitored the logs to see what was > happening. > > > What > > > > I am not clear on is what service the log entries below refer to. > > > > > > > > > > > > Dec 20 13:10:35 myserver kernel: [4808284.769172] [UFW BLOCK] > > > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > > > SRC=194.27.44.2 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=109 > > > > ID=10243 DF PROTO=TCP SPT=6565 DPT=80 WINDOW=4320 RES=0x00 > > ACK > > > > FIN > > > > URGP=0 > > > > Dec 20 13:11:01 myserver kernel: [4808311.356089] [UFW BLOCK] > > > > IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00 > > > > SRC=151.96.254.4 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=55 > > > > ID=44116 PROTO=TCP SPT=58842 DPT=80 WINDOW=1032 RES=0x00 ACK > > RST > > > > URGP=0 > > > > > > > > I am getting an entry like this every 20-30 seconds. Can anyone > tell > > > me > > > > what service/port is being blocked in the above log entries? > > > > > > > > Below are the rules at the moment. > > > > Thanks in advance, > > > > Dermot > > > > > > > > Chain ufw-user-input (1 references) > > > > pkts bytes target prot opt in out source > > > > destination > > > > 29164 1620981 ACCEPT tcp -- * * 0.0.0.0/0 > > > > 0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */ > > > > 5151 299728 ACCEPT tcp -- * * 0.0.0.0/0 > > > > 0.0.0.0/0 multiport dports 80,443 /* > > > 'dapp_Apache%20Full' > > > > */ > > > > 3 180 ACCEPT tcp -- * * 0.0.0.0/0 > > > > 0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */ > > > > 0 0 REJECT all -- * * > 220.162.244.251 > > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > 0 0 REJECT all -- * * > 217.115.199.40 > > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > 0 0 REJECT all -- * * > 93.84.116.216 > > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > 0 0 REJECT all -- * * > 85.10.204.194 > > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > 0 0 REJECT all -- * * > 221.232.155.6 > > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > 0 0 REJECT all -- * * > 122.255.96.164 > > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > 0 0 REJECT all -- * * > 77.240.21.131 > > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > 0 0 REJECT all -- * * 83.170.79.6 > > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > > > > > Chain ufw-user-forward (1 references) > > > > pkts bytes target prot opt in out source > > > > destination > > > > > > > > Chain ufw-user-output (1 references) > > > > pkts bytes target prot opt in out source > > > > destination > > > > > > > > Chain ufw-user-limit-accept (0 references) > > > > pkts bytes target prot opt in out source > > > > destination > > > > 0 0 ACCEPT all -- * * 0.0.0.0/0 > > > > 0.0.0.0/0 > > > > > > > > Chain ufw-user-limit (0 references) > > > > pkts bytes target prot opt in out source > > > > destination > > > > 0 0 LOG all -- * * 0.0.0.0/0 > > > > 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level > 4 > > > > prefix `[UFW LIMIT BLOCK] ' > > > > 0 0 REJECT all -- * * 0.0.0.0/0 > > > > 0.0.0.0/0 reject-with icmp-port-unreachable > > > > -- > > > > To unsubscribe from this list: send the line "unsubscribe linux- > > > admin" in > > > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > > > More majordomo info at http://vger.kernel.org/majordomo- > info.html > > > -- > > > To unsubscribe from this list: send the line "unsubscribe linux- > admin" > > > in > > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux- > admin" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- > To unsubscribe from this list: send the line "unsubscribe linux-admin" > in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
