| Linode Forum https://forum.linode.com/ |
|
| ufw log files https://forum.linode.com/viewtopic.php?f=19&t=8448 |
Page 1 of 1 |
| Author: | fernandoch [ Fri Feb 17, 2012 4:40 am ] |
| Post subject: | ufw log files |
I see these in my /var/log/ufw.log file Code: Feb 17 06:25:42 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.83.61.33 DST=178.79.166.61 LEN=56 TOS=0x00 PREC=0x00 TTL=54 ID=49204 DF PROTO=TCP SPT=32858 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 Can anyone tell me what they mean? Is someone doing a scan on my ports? |
|
| Author: | Vance [ Fri Feb 17, 2012 5:53 am ] |
| Post subject: | |
It's the normal brute-force attack attempts that any Internet-connected host gets. In itself, no reason to be concerned. If you're interested in what services they're trying to connect to, look up the "DPT=###" port number on this list. |
|
| Author: | fernandoch [ Fri Feb 17, 2012 5:59 am ] |
| Post subject: | |
I thought it was some kind of monitoring from linode. Do I have to enable anything in the firewall to enable linode monitoring? |
|
| Author: | hoopycat [ Fri Feb 17, 2012 7:17 am ] |
| Post subject: | |
There is no Linode monitoring, so no. |
|
| Author: | fernandoch [ Fri Feb 17, 2012 7:19 am ] |
| Post subject: | |
And how do you get all the graphs in the linode manager then? |
|
| Author: | hoopycat [ Fri Feb 17, 2012 8:15 am ] |
| Post subject: | |
Those are somewhat like an electric meter on a house. They report how much the node has consumed, but not what consumed it within the node or anything like that. (They also work with any OS, even non-Linux-based ones.) |
|
| Author: | Guspaz [ Fri Feb 17, 2012 2:58 pm ] |
| Post subject: | |
Wait, UFW logs every dropped packet, and it spends 244 bytes to log a dropped 40 byte packet? That seems excessive. That degree of amplification makes it trivially easy to max out the disk IO of a box running UFW, not to mention filling the disks incredibly fast. Seems like a dumb move on UFW's part... |
|
| Author: | hoopycat [ Fri Feb 17, 2012 5:25 pm ] |
| Post subject: | |
It's iptables logging, so it goes through kernel logging and syslog, which have various ways to deal with crazy loggers. By default, ufw uses a 'low' logging level, which Quote: logs all blocked packets not matching the default policy (with rate limiting), as well as packets matching logged rules
So it shouldn't generally be logging a whole heck of a lot by default (if the default policy is 'deny' and there's no specifically-logged rules). It can, of course, be configured to the administrator's wishes. |
|
| Author: | Guspaz [ Mon Feb 20, 2012 1:45 pm ] |
| Post subject: | |
It wasn't the typical scenario I was thinking about, but the attack vector scenario. If somebody decides to send you a chunk of blocked traffic, your log files would fill up fast. |
|
| Author: | db3l [ Mon Feb 20, 2012 1:52 pm ] |
| Post subject: | |
Guspaz wrote: It wasn't the typical scenario I was thinking about, but the attack vector scenario. If somebody decides to send you a chunk of blocked traffic, your log files would fill up fast.
It may have been tuned a little differently in the latest version (I'm still on 8.04) but my ufw-generated LOG rules use rate-limiting (as hoopycat mentioned) with a limit of "avg 3/min burst 10", so it's not really going to log very much even with a targeted attack. -- David |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|