1

Hourly events in the firewall-log, originating from Ubuntu12.04-box. How to find the reason?

view story
linux-howto

http://askubuntu.com – every hour, the logfile on our firewall (IPCop 1.4.20, 192.168.1.8) lists nine lines, apparently caused by my Computer (Ubuntu 12.04, 192.168.1.55): Jan 8 08:01:16 ipc9 kernel: NEW not SYN? IN=eth0 OUT= MAC=00:04:06:08:0b:03:00:0c:0e:05:07:01:01:00 SRC= 192.168.1.55 DST=192.168.1.8 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=36594 DF PROTO=TCP SPT=44474 DPT=800 WIN DOW=37960 RES=0x00 ACK FIN URGP=0 ... Jan 8 08:02:08 ipc9 kernel: NEW not SYN? IN=eth0 OUT= MAC=00:04:06:08:0b:03:00:0c:0e:05:07:04:08:00 SRC= 192.168.1.55 DST=192.168.1.8 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=36602 DF PROTO=TCP SPT=4447 (HowTos)

funckax's picture
Submitted by funckax on 01/08/2013

Stories similar to Hourly events in the firewall-log, originating from Ubuntu12.04-box. How to find the reason?

[ubuntu] UFW settings 1 year 10 weeks ago

Hello, I have an old desktop with Ubuntu server 10.04 LTS. Its being utilized as my home network file server.

UFW is blocking some packets that I thought I was allowing.

Tracing out going attacks 32 weeks 4 days ago

I have noticed ALOT of the following:

Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=ME DST=OUT LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44395 DF PROTO=TCP SPT=55901 DPT=10080 WINDOW=14600 RES=0x00 SYN URGP=0

How can I figure out which website is sending such an attack?

PHP is running as fast_cgid with CloudLinux.

I would like to know what is this and how can i stop this?

Apr 10 15:30:17 -- kernel: [ 1182.295900] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:5b:f3:c1:00:08:e3:ff:fd:90:08:00 SRC=95.37.189.176 DST=109.123.***.*** LEN=159 TOS=0x00 PREC=0x00 TTL=114 ID=29111 PROTO=UDP SPT=49001 DPT=51413 LEN=139 Apr 10 15:30:37 -- kernel: [ 1202.267330] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:5b:f3:c1:00:08:e3:ff:fd:90

I have my kern.log flooded by these lines:

Jan 4 03:00:57 myhost kernel: [9040601.809740] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=33285 PROTO=UDP SPT=25345 DPT=53 LEN=44 Jan 4 03:01:09 myhost kernel: [9040613.699425] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08

u32 filter udp lenght 0 to 29 26 weeks 2 days ago

Sep 30 18:20:02 30AA30 kernel: ** IN_UDP DROP ** IN=eth0 OUT= MAC=b8:ac:6f:99:8e:b2:a8:d0:e5:bf:71:81:08:00 SRC=66.225.232.169 DST=68.68.27.84 LEN=28 TOS=0x00 PREC=0x00 TTL=49 ID=21668 DF PROTO=UDP SPT=48153 DPT=16078 LEN=8 Sep 30 18:20:02 30AA30 kernel: ** IN_UDP DROP ** IN=eth0 OUT= MAC=b8:ac:6f:99:8e:b2:a8:d0:e5:bf:71:81:08:00 SRC=66.225.232.169 DST=68.68.27.84 LEN=28 TOS=0x00 PREC=0x00 TTL=49

In my iptables rules files, I entered this at the end:

-A INPUT -j LOG --log-level 4 --log-ip-options --log-prefix "iptables: "

I DROP everything besides INPUT for SSH (port 22)

I have a web server and when I try to connect to it through my browser, through a forbidden port number (on purpose), I get something like that in my iptables.log

Sep 24 14:05:57 myserver kernel: [xx.xx] iptables: IN=

I have installed Virtualmin on a Ubuntu 12.04 server and I'm using LAMP stack with Varnish (:80) in front of Apache (:8000). However, I cannot access https when UFW is enabled.

I need to exclude a given line in the messages file:

Oct 25 04:09:23 SERVERNAME PFILTER-DROP: IN=ifeth4 OUT= MAC=ff:ff:ff:ff:ff:ff:AA:AA:AA:AA:AA:AA:AA:AA SRC=192.168.202.4 DST=192.168.202.255 LEN=238 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32776 DPT=705 LEN=218 Oct 25 04:09:23 SERVERNAME PFILTER-DROP: IN=ifeth4 OUT= MAC=ff:ff:ff:ff:ff:ff:AA:AA:AA:AA:AA:AA:AA:AA SRC=192.168.202.6 DST=19