On Thu, 2011-12-22 at 21:28 +0530, Saurabh Bathe wrote: > On Tuesday 20 December 2011 07:33 PM, Dermot Paikkos wrote: > > Chain ufw-user-limit (0 references) > > pkts bytes target prot opt in out source > > destination > > 0 0 LOG all -- * * 0.0.0.0/0 > > 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 > > prefix `[UFW LIMIT BLOCK] ' > > I would say the rule above *could* be suspect, which would log anything > that it catches. Depending on where in the filter it is being > referenced, it maybe catching those packets. I cannot say definitively > without actually seeing whole iptables -nL output. > > Thanks, > Saurabh > -- > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html It's not blocked, it's limited to 3 packets per minute, with a burst to 5. Only when this limit is reached the connection is blocked and the event is logged with the [UFW LIMIT BLOCK]. So you may want to check your syslog (or whatever logging system you are using) for this prefix. While this doesn't prevent users to connect to your server, it can affect the legit traffic. What you need is an IDS (either ModSecurity for apache [1] and/or ossec [2] - but hey, a strong tweaking is necessary for both of them in order to work as desired - you have been warned :) ) [1] http://www.modsecurity.org/ [2] http://www.ossec.net/ P.S. there is a good howto for mod_security on Ubuntu (I presume you are using Ubuntu) here: http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/ HTH -- Calin Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857 ================================================= What an artist dies with me! -- Nero -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
