Google
  Web www.spinics.net

Re: UFW logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Thu, 2011-12-22 at 21:28 +0530, Saurabh Bathe wrote: 
> On Tuesday 20 December 2011 07:33 PM, Dermot Paikkos wrote:
> > Chain ufw-user-limit (0 references)
> >      pkts      bytes target     prot opt in     out     source
> >       destination
> >         0        0 LOG        all  --  *      *       0.0.0.0/0
> >     0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 4
> > prefix `[UFW LIMIT BLOCK] '
> 
> I would say the rule above *could* be suspect, which would log anything 
> that it catches. Depending on where in the filter it is being 
> referenced, it maybe catching those packets. I cannot say definitively 
> without actually seeing whole iptables -nL output.
> 
> Thanks,
> Saurabh
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

It's not blocked, it's limited to 3 packets per minute, with a burst to
5. Only when this limit is reached the connection is blocked and the
event is logged with the [UFW LIMIT BLOCK]. So you may want to check
your syslog (or whatever logging system you are using) for this prefix.
While this doesn't prevent users to connect to your server, it can
affect the legit traffic.

What you need is an IDS (either ModSecurity for apache [1] and/or ossec
[2] - but hey, a strong tweaking is necessary for both of them in order
to work as desired - you have been warned :) )



[1] http://www.modsecurity.org/
[2] http://www.ossec.net/

P.S. there is a good howto for mod_security on Ubuntu (I presume you are
using Ubuntu) here:
http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/

HTH

-- 


Calin

Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857

=================================================
What an artist dies with me! -- Nero


--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Photo]     [Yosemite Photos]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Linux Resources]     [Fedora Users]

Add to Google Powered by Linux