Lots of stuff in ufw log yet server seems to be running okay
Folks:
I have server with owncast from the linode marketplace running. I used the caddy webserver procedure for securing owncast so that it can be accessed using https; all this seems to be running okay. I also use a non standard port of ssh.
I set up ufw to only allow the rtmp port; the https port; my non standard ssh port.
I can ssh using my ssh port okay. All owncast stuff seems to be running okay.
Yet I gat lots of stuff happing on the log that appear something like:
Nov 10 18:45:20 streamer kernel: [ 488.875168] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:93:c9:f9:51:04:c5:a4:e8:4f:c1:08:00 SRC=79.124.62.78 DST=104.237.154.4 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=52549 PROTO=TCP SPT=57644 DPT=33895 WINDOW=1024 RES=0x00 SYN URGP=0
Nov 10 18:45:45 streamer kernel: [ 513.156259] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:93:c9:f9:51:04:c5:a4:e8:4f:c1:08:00 SRC=198.199.94.224 DST=104.237.154.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=TCP SPT=46250 DPT=1911 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 10 18:45:57 streamer kernel: [ 525.839526] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:93:c9:f9:51:00:26:98:02:ab:c1:08:00 SRC=51.15.244.101 DST=104.237.154.4 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=56386 PROTO=TCP SPT=44112 DPT=25405 WINDOW=1024 RES=0x00 SYN URGP=0
Nov 10 18:46:27 streamer kernel: [ 555.424899] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:93:c9:f9:51:04:c5:a4:e8:4f:c1:08:00 SRC=120.26.47.226 DST=104.237.154.4 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=42136 DF PROTO=TCP SPT=51496 DPT=6379 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 10 18:46:38 streamer kernel: [ 566.761956] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:93:c9:f9:51:00:26:98:02:ab:c1:08:00 SRC=85.208.136.108 DST=104.237.154.4 LEN=40 TOS=0x08 PREC=0x20 TTL=238 ID=54321 PROTO=TCP SPT=38399 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 10 18:46:57 streamer kernel: [ 585.556371] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:93:c9:f9:51:00:26:98:02:ab:c1:08:00 SRC=5.188.206.6 DST=104.237.154.4 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=50822 PROTO=TCP SPT=46291 DPT=47313 WINDOW=1024 RES=0x00 SYN URGP=0
Nov 10 18:47:18 streamer kernel: [ 606.670248] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:93:c9:f9:51:00:26:98:02:ab:c1:08:00 SRC=52.73.169.169 DST=104.237.154.4 LEN=76 TOS=0x00 PREC=0x00 TTL=242 ID=54321 PROTO=UDP SPT=58836 DPT=123 LEN=56
Nov 10 18:47:38 streamer kernel: [ 626.513527] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:93:c9:f9:51:00:26:98:02:ab:c1:08:00 SRC=89.248.165.51 DST=104.237.154.4 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=39075 PROTO=TCP SPT=41866 DPT=10340 WINDOW=1024 RES=0x00 SYN URGP=0
Nov 10 18:47:56 streamer kernel: [ 644.854437] [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:93:c9:f9:51:04:c5:a4:e8:4f:c1:08:00 SRC=35.245.82.188 DST=104.237.154.4 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=20099 DF PROTO=TCP SPT=10766 DPT=80 WINDOW=42600 RES=0x00 SYN URGP=0
Is this stuff I can ignore? Also, it seems to make my list console useless.
Thank you
Mark Allyn
5 Replies
Is this stuff I can ignore?
Yep… this is all stuff your firewall has BLOCKED. You're getting these messages because ufw has implemented a LOG rule along with the REJECT rule…so that all rejected packets are logged.
Just taking a random sample of the SRC addresses:
- 79.124.62.78 is in the Seychelles (prob a Russian/Chinese proxy).
- 120.26.47.226 is in China (belongs to AliBaba -- the Chinese Google).
- 52.73.169.169 belongs to Amazon (AWS).
- 35.245.82.188 belongs to Google (Google Cloud).
Also, it seems to make my list console useless.
The price of safety… See here if you want to stop this. DANGER WILL ROBINSON! This involves setting sysctl values (kernel runtime parameters)…which may have unintended side effects!
I hope you have IPv6 rules too.
-- sw
Hi,
The log entries you posted appear to be ufw blocking connections to ports that are unavailable, since you've only allowed certain things. It's fine to ignore these entries, which will occur whenever you have any server connected to the public internet, given the amount of bots and other programs running on various computers, attempting to access things on any public servers they can.
I found a community post about ufw entries in the Lish console. This might be of help to you.
Good luck,
Blake
Thank you, all. If this is indeed someone trying to get into this machine without my permission; would it be prudent for me to forward these to AWS, Google as appropriate and whatever law enforcement; and if so, would it be local police or at the federal level?
I thought that the Computer Fraud And Abuse Act would cover this, or does anyone care about that anymore?
Or do you folk at Linode have a relationship with appropriate law enforcement therefore I should not worry about this?
Thank you
Mark Allyn
Thank you, all. If this is indeed someone trying to get into this machine without my permission; would it be prudent for me to forward these to AWS, Google as appropriate and whatever law enforcement; and if so, would it be local police or at the federal level?
You can… Don't be surprised at the underwhelming response though. This happens probably about as many times a day as there are stars in the universe.
The Russians and Chinese particularly don't care. BS such as this is part of their normal foreign policy. Let me know if you even get a response from the abuse@… email address. You will have had better luck than me in the 20+ years I've been at this…
I can tell you from experience that Google and AWS don't care either…even though their customers' actions may be illegal.
I'm reminded of some song lyrics:
See it in the headlines
You hear it every day
They say they're gonna stop it
But it doesn't go away
-- Glenn Frey, Smuggler's Blues
It's the ones that get through are the ones you have to worry about. The kind of stuff you presented is part of the background noise of the universe (trust me on this). It probably started seconds after you spun up your Linode…
You just have to be careful…very, very careful!
-- sw