> -----Original Message----- > On Thu, 2011-12-22 at 21:28 +0530, Saurabh Bathe wrote: > > On Tuesday 20 December 2011 07:33 PM, Dermot Paikkos wrote: > > > Chain ufw-user-limit (0 references) > > > pkts bytes target prot opt in out source > > > destination > > > 0 0 LOG all -- * * 0.0.0.0/0 > > > 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level > 4 > > > prefix `[UFW LIMIT BLOCK] ' > > > > I would say the rule above *could* be suspect, which would log > anything > > that it catches. Depending on where in the filter it is being > > referenced, it maybe catching those packets. I cannot say > definitively > > without actually seeing whole iptables -nL output. > > > > Thanks, > > Saurabh > > -- > > To unsubscribe from this list: send the line "unsubscribe linux- > admin" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > It's not blocked, it's limited to 3 packets per minute, with a burst to > 5. Only when this limit is reached the connection is blocked and the > event is logged with the [UFW LIMIT BLOCK]. So you may want to check > your syslog (or whatever logging system you are using) for this prefix. > While this doesn't prevent users to connect to your server, it can > affect the legit traffic. That makes sense give the rules. It must be a default rule as I did not add it. I was getting one of these blocks every 30 seconds. I'm guessing this is to protect as DOS attacks. > What you need is an IDS (either ModSecurity for apache [1] and/or ossec > [2] - but hey, a strong tweaking is necessary for both of them in order > to work as desired - you have been warned :) ) I had seen references to modsecurity but ufw seemed like a simpler solution. As it turns out I have to disable ufw yesterday. A user in Switzerland reported problems connecting. The IP they gave me can't be found in any of the logs, syslog or httpd, so I assume they do not know their IP address. The attempted php exploits are down today. Just the one yesterday. I suspect that might be because the server now correctly returns 404 for these url. > [1] http://www.modsecurity.org/ > [2] http://www.ossec.net/ > > P.S. there is a good howto for mod_security on Ubuntu (I presume you > are > using Ubuntu) here: > http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/ Thanks for the link. I'll have a read. Thanks all and happy holidays if your getting one. Dermot. -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html