RE: UFW logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> On Thu, 2011-12-22 at 21:28 +0530, Saurabh Bathe wrote:
> > On Tuesday 20 December 2011 07:33 PM, Dermot Paikkos wrote:
> > > Chain ufw-user-limit (0 references)
> > >      pkts      bytes target     prot opt in     out     source
> > >       destination
> > >         0        0 LOG        all  --  *      *       0.0.0.0/0
> > >     0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level
> 4
> > > prefix `[UFW LIMIT BLOCK] '
> >
> > I would say the rule above *could* be suspect, which would log
> anything
> > that it catches. Depending on where in the filter it is being
> > referenced, it maybe catching those packets. I cannot say
> definitively
> > without actually seeing whole iptables -nL output.
> >
> > Thanks,
> > Saurabh
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-
> admin" in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> It's not blocked, it's limited to 3 packets per minute, with a burst 
to
> 5. Only when this limit is reached the connection is blocked and the
> event is logged with the [UFW LIMIT BLOCK]. So you may want to check
> your syslog (or whatever logging system you are using) for this 
prefix.
> While this doesn't prevent users to connect to your server, it can
> affect the legit traffic.

That makes sense give the rules. It must be a default rule as I did not 
add it. I was getting one of these blocks every 30 seconds. I'm guessing 
this is to protect as DOS attacks.


> What you need is an IDS (either ModSecurity for apache [1] and/or 
ossec
> [2] - but hey, a strong tweaking is necessary for both of them in 
order
> to work as desired - you have been warned :) )

I had seen references to modsecurity but ufw seemed like a simpler 
solution.

As it turns out I have to disable ufw yesterday. A user in Switzerland 
reported problems connecting. The IP they gave me can't be found in any 
of the logs, syslog or httpd, so I assume they do not know their IP 
address. 

The attempted php exploits are down today. Just the one yesterday. I 
suspect that might be because the server now correctly returns 404 for 
these url. 

 
> [1] http://www.modsecurity.org/
> [2] http://www.ossec.net/
> 
> P.S. there is a good howto for mod_security on Ubuntu (I presume you
> are
> using Ubuntu) here:
> http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/

Thanks for the link. I'll have a read.  
Thanks all and happy holidays if your getting one.
Dermot.

--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux