From: "Dermot Paikkos" <Dermot.Paikkos@sciencephoto.co.uk>
To: linux-admin@vger.kernel.org
Subject: UFW logging
Date: Tue, 20 Dec 2011 14:03:22 +0000 [thread overview]
Message-ID: <LB95C01C20EFD4ab49E771871DAC54AB0.1324389799.earth.sciencephoto.co.uk@MHS> (raw)
Hi,
I noticed on our company http server that I had a lot of 'probes'. My
logwatch file (text-mode) is 3+MB and rising. I have thousands of
entries in my logwatch reports:
A total of 5711 sites probed the server
1.152.198.116
1.22.185.5
1.23.105.130
1.38.24.232
1.38.25.24
1.39.95.219
1.53.101.185
101.108.239.43
...
...
...
I'm not sure what the above probes are. Any help in understanding the
above would be appreciated.
I also have several entries like this:
A total of 4 possible successful probes were detected (the following
URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
/images/?option=com_sectionex&controller=../../../../../../../../../../.
./../..//proc/self/environ%0000 HTTP Response 200
/?
I believe these are php exploits.
To help secure the server, I installed UFW, enabled and allowed HTTP,
HTTPS and SSH. I then monitored the logs to see what was happening. What
I am not clear on is what service the log entries below refer to.
Dec 20 13:10:35 myserver kernel: [4808284.769172] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=194.27.44.2 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=109
ID=10243 DF PROTO=TCP SPT=6565 DPT=80 WINDOW=4320 RES=0x00 ACK FIN
URGP=0
Dec 20 13:11:01 myserver kernel: [4808311.356089] [UFW BLOCK]
IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
SRC=151.96.254.4 DST=217.222.0.x LEN=40 TOS=0x00 PREC=0x00 TTL=55
ID=44116 PROTO=TCP SPT=58842 DPT=80 WINDOW=1032 RES=0x00 ACK RST
URGP=0
I am getting an entry like this every 20-30 seconds. Can anyone tell me
what service/port is being blocked in the above log entries?
Below are the rules at the moment.
Thanks in advance,
Dermot
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source
destination
29164 1620981 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 /* 'dapp_Apache' */
5151 299728 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 80,443 /* 'dapp_Apache%20Full'
*/
3 180 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 /* 'dapp_OpenSSH' */
0 0 REJECT all -- * * 220.162.244.251
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 217.115.199.40
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 93.84.116.216
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 85.10.204.194
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 221.232.155.6
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 122.255.96.164
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 77.240.21.131
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 83.170.79.6
0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source
destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source
destination
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4
prefix `[UFW LIMIT BLOCK] '
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
next reply other threads:[~2011-12-20 14:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-20 14:03 Dermot Paikkos [this message]
2011-12-20 14:54 ` UFW logging Marcel Galke - Trans4mation
2011-12-20 15:29 ` Dermot Paikkos
2011-12-20 15:41 ` Marcel Galke - Trans4mation
2011-12-20 16:32 ` Dermot Paikkos
2011-12-20 18:30 ` terry white
2011-12-21 12:13 ` Dermot Paikkos
2011-12-24 19:45 ` logging: probes and ports terry white
2011-12-22 15:58 ` UFW logging Saurabh Bathe
2011-12-23 0:38 ` kalinix
2011-12-23 9:37 ` Dermot Paikkos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=LB95C01C20EFD4ab49E771871DAC54AB0.1324389799.earth.sciencephoto.co.uk@MHS \
--to=dermot.paikkos@sciencephoto.co.uk \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).