Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking
  Print view Previous topic | Next topic 
Author Message
fernandoch
 Post subject: ufw log files
PostPosted: Fri Feb 17, 2012 4:40 am 
Offline
Senior Member

Joined: Fri May 20, 2011 2:45 am
Posts: 63
Location: Spain
I see these in my /var/log/ufw.log file

Code:
Feb 17 06:25:42 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.83.61.33 DST=178.79.166.61 LEN=56 TOS=0x00 PREC=0x00 TTL=54 ID=49204 DF PROTO=TCP SPT=32858 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 17 06:57:53 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.198.109.232 DST=178.79.166.61 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=31963 DF PROTO=TCP SPT=54030 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 17 07:27:00 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.239.224.217 DST=178.79.166.61 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=33001 DF PROTO=TCP SPT=4316 DPT=23 WINDOW=5808 RES=0x00 CWR ECE SYN URGP=0
Feb 17 08:02:01 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=61.235.46.146 DST=178.79.166.61 LEN=404 TOS=0x00 PREC=0x00 TTL=115 ID=38879 PROTO=UDP SPT=2041 DPT=1434 LEN=384
Feb 17 08:11:12 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.26.1.0 DST=178.79.166.61 LEN=56 TOS=0x00 PREC=0x00 TTL=55 ID=32543 DF PROTO=TCP SPT=48303 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 17 08:12:12 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=95.102.170.179 DST=178.79.166.61 LEN=64 TOS=0x00 PREC=0x00 TTL=33 ID=20689 DF PROTO=TCP SPT=2558 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Feb 17 08:12:15 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=95.102.170.179 DST=178.79.166.61 LEN=64 TOS=0x00 PREC=0x00 TTL=33 ID=21323 DF PROTO=TCP SPT=2558 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Feb 17 08:17:36 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.79.52.191 DST=178.79.166.61 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=57232 DF PROTO=TCP SPT=1760 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Feb 17 08:17:39 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.79.52.191 DST=178.79.166.61 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=57610 DF PROTO=TCP SPT=1760 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Feb 17 08:52:06 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.83.16.176 DST=178.79.166.61 LEN=56 TOS=0x00 PREC=0x00 TTL=54 ID=31272 DF PROTO=TCP SPT=37127 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 17 08:56:50 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=29831 PROTO=UDP SPT=16474 DPT=551 LEN=41
Feb 17 08:56:51 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=29853 PROTO=UDP SPT=16474 DPT=551 LEN=41
Feb 17 08:56:54 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=29897 PROTO=UDP SPT=16474 DPT=551 LEN=41
Feb 17 08:57:00 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=29973 PROTO=UDP SPT=16474 DPT=551 LEN=41
Feb 17 08:58:27 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=31176 PROTO=UDP SPT=47599 DPT=551 LEN=41
Feb 17 08:58:28 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=31186 PROTO=UDP SPT=47599 DPT=551 LEN=41
Feb 17 08:58:31 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=31240 PROTO=UDP SPT=47599 DPT=551 LEN=41
Feb 17 08:58:37 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=31323 PROTO=UDP SPT=47599 DPT=551 LEN=41
Feb 17 09:01:16 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=95 TOS=0x00 PREC=0x00 TTL=115 ID=33257 PROTO=UDP SPT=36112 DPT=551 LEN=75
Feb 17 09:03:19 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=34623 PROTO=UDP SPT=11325 DPT=551 LEN=41
Feb 17 09:03:20 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=34626 PROTO=UDP SPT=11325 DPT=551 LEN=41
Feb 17 09:03:23 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=34660 PROTO=UDP SPT=11325 DPT=551 LEN=41
Feb 17 09:03:29 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=34712 PROTO=UDP SPT=11325 DPT=551 LEN=41
Feb 17 09:16:38 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=44537 DF PROTO=TCP SPT=20349 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:16:41 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=44566 DF PROTO=TCP SPT=20349 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:16:47 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=44629 DF PROTO=TCP SPT=20349 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:17:46 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=175.181.106.193 DST=178.79.166.61 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=56947 DF PROTO=TCP SPT=1510 DPT=1080 WINDOW=512 RES=0x00 SYN URGP=0
Feb 17 09:17:52 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=7815 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:17:54 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=7847 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:17:57 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=7900 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:18:03 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=8061 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:19:34 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=46531 DF PROTO=TCP SPT=19992 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:19:34 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=10234 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:19:36 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=10263 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:19:37 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=46562 DF PROTO=TCP SPT=19992 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:19:39 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=10332 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:19:43 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=46626 DF PROTO=TCP SPT=19992 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:19:45 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=10452 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:20:23 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=95 TOS=0x00 PREC=0x00 TTL=117 ID=11311 PROTO=UDP SPT=12157 DPT=551 LEN=75
Feb 17 09:24:20 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50378 DF PROTO=TCP SPT=54088 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:24:23 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50411 DF PROTO=TCP SPT=54088 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:24:29 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50480 DF PROTO=TCP SPT=54088 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:25:31 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=18150 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:25:33 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=18171 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:25:36 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=18227 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:25:42 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=18333 PROTO=UDP SPT=12157 DPT=551 LEN=41


Can anyone tell me what they mean? Is someone doing a scan on my ports?
Top
   
Reply with quote  
Vance
 Post subject:
PostPosted: Fri Feb 17, 2012 5:53 am 
Offline
Senior Member
User avatar

Joined: Sun Jan 18, 2009 2:41 pm
Posts: 830
It's the normal brute-force attack attempts that any Internet-connected host gets. In itself, no reason to be concerned. If you're interested in what services they're trying to connect to, look up the "DPT=###" port number on this list.
Top
   
Reply with quote  
fernandoch
 Post subject:
PostPosted: Fri Feb 17, 2012 5:59 am 
Offline
Senior Member

Joined: Fri May 20, 2011 2:45 am
Posts: 63
Location: Spain
I thought it was some kind of monitoring from linode.

Do I have to enable anything in the firewall to enable linode monitoring?
Top
   
Reply with quote  
hoopycat
 Post subject:
PostPosted: Fri Feb 17, 2012 7:17 am 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York
There is no Linode monitoring, so no.

_________________
Code:
/* TODO: need to add signature to posts */
Top
   
Reply with quote  
fernandoch
 Post subject:
PostPosted: Fri Feb 17, 2012 7:19 am 
Offline
Senior Member

Joined: Fri May 20, 2011 2:45 am
Posts: 63
Location: Spain
And how do you get all the graphs in the linode manager then?
Top
   
Reply with quote  
hoopycat
 Post subject:
PostPosted: Fri Feb 17, 2012 8:15 am 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York
Those are somewhat like an electric meter on a house. They report how much the node has consumed, but not what consumed it within the node or anything like that. (They also work with any OS, even non-Linux-based ones.)

_________________
Code:
/* TODO: need to add signature to posts */
Top
   
Reply with quote  
Guspaz
 Post subject:
PostPosted: Fri Feb 17, 2012 2:58 pm 
Offline
Senior Member
User avatar

Joined: Tue May 26, 2009 3:29 pm
Posts: 1691
Location: Montreal, QC
Wait, UFW logs every dropped packet, and it spends 244 bytes to log a dropped 40 byte packet? That seems excessive. That degree of amplification makes it trivially easy to max out the disk IO of a box running UFW, not to mention filling the disks incredibly fast.

Seems like a dumb move on UFW's part...
Top
   
Reply with quote  
hoopycat
 Post subject:
PostPosted: Fri Feb 17, 2012 5:25 pm 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York
It's iptables logging, so it goes through kernel logging and syslog, which have various ways to deal with crazy loggers. By default, ufw uses a 'low' logging level, which

Quote:
logs all blocked packets not matching the default policy (with rate limiting), as well as packets matching logged rules


So it shouldn't generally be logging a whole heck of a lot by default (if the default policy is 'deny' and there's no specifically-logged rules). It can, of course, be configured to the administrator's wishes.

_________________
Code:
/* TODO: need to add signature to posts */
Top
   
Reply with quote  
Guspaz
 Post subject:
PostPosted: Mon Feb 20, 2012 1:45 pm 
Offline
Senior Member
User avatar

Joined: Tue May 26, 2009 3:29 pm
Posts: 1691
Location: Montreal, QC
It wasn't the typical scenario I was thinking about, but the attack vector scenario. If somebody decides to send you a chunk of blocked traffic, your log files would fill up fast.
Top
   
Reply with quote  
db3l
 Post subject:
PostPosted: Mon Feb 20, 2012 1:52 pm 
Offline
Senior Member

Joined: Wed May 13, 2009 1:18 am
Posts: 681
Guspaz wrote:
It wasn't the typical scenario I was thinking about, but the attack vector scenario. If somebody decides to send you a chunk of blocked traffic, your log files would fill up fast.

It may have been tuned a little differently in the latest version (I'm still on 8.04) but my ufw-generated LOG rules use rate-limiting (as hoopycat mentioned) with a limit of "avg 3/min burst 10", so it's not really going to log very much even with a targeted attack.

-- David
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking


Who is online

Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group