> -----Original Message-----
> On Thu, 2011-12-22 at 21:28 +0530, Saurabh Bathe wrote:
> > On Tuesday 20 December 2011 07:33 PM, Dermot Paikkos wrote:
> > > Chain ufw-user-limit (0 references)
> > > pkts bytes target prot opt in out source
> > > destination
> > > 0 0 LOG all -- * * 0.0.0.0/0
> > > 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level
> 4
> > > prefix `[UFW LIMIT BLOCK] '
> >
> > I would say the rule above *could* be suspect, which would log
> anything
> > that it catches. Depending on where in the filter it is being
> > referenced, it maybe catching those packets. I cannot say
> definitively
> > without actually seeing whole iptables -nL output.
> >
> > Thanks,
> > Saurabh
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-
> admin" in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> It's not blocked, it's limited to 3 packets per minute, with a burst
to
> 5. Only when this limit is reached the connection is blocked and the
> event is logged with the [UFW LIMIT BLOCK]. So you may want to check
> your syslog (or whatever logging system you are using) for this
prefix.
> While this doesn't prevent users to connect to your server, it can
> affect the legit traffic.
That makes sense give the rules. It must be a default rule as I did not
add it. I was getting one of these blocks every 30 seconds. I'm guessing
this is to protect as DOS attacks.
> What you need is an IDS (either ModSecurity for apache [1] and/or
ossec
> [2] - but hey, a strong tweaking is necessary for both of them in
order
> to work as desired - you have been warned :) )
I had seen references to modsecurity but ufw seemed like a simpler
solution.
As it turns out I have to disable ufw yesterday. A user in Switzerland
reported problems connecting. The IP they gave me can't be found in any
of the logs, syslog or httpd, so I assume they do not know their IP
address.
The attempted php exploits are down today. Just the one yesterday. I
suspect that might be because the server now correctly returns 404 for
these url.
> [1] http://www.modsecurity.org/
> [2] http://www.ossec.net/
>
> P.S. there is a good howto for mod_security on Ubuntu (I presume you
> are
> using Ubuntu) here:
> http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/
Thanks for the link. I'll have a read.
Thanks all and happy holidays if your getting one.
Dermot.
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Newbie]
[Audio]
[Hams]
[Kernel Newbies]
[Util Linux NG]
[Security]
[Netfilter]
[Bugtraq]
[Photo]
[Yosemite Photos]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Linux Device Drivers]
[Samba]
[Video 4 Linux]
[Git]
[Linux Resources]
[Fedora Users]
