ufw log files

I see these in my /var/log/ufw.log file

Feb 17 06:25:42 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.83.61.33 DST=178.79.166.61 LEN=56 TOS=0x00 PREC=0x00 TTL=54 ID=49204 DF PROTO=TCP SPT=32858 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 17 06:57:53 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.198.109.232 DST=178.79.166.61 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=31963 DF PROTO=TCP SPT=54030 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 17 07:27:00 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.239.224.217 DST=178.79.166.61 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=33001 DF PROTO=TCP SPT=4316 DPT=23 WINDOW=5808 RES=0x00 CWR ECE SYN URGP=0
Feb 17 08:02:01 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=61.235.46.146 DST=178.79.166.61 LEN=404 TOS=0x00 PREC=0x00 TTL=115 ID=38879 PROTO=UDP SPT=2041 DPT=1434 LEN=384
Feb 17 08:11:12 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.26.1.0 DST=178.79.166.61 LEN=56 TOS=0x00 PREC=0x00 TTL=55 ID=32543 DF PROTO=TCP SPT=48303 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 17 08:12:12 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=95.102.170.179 DST=178.79.166.61 LEN=64 TOS=0x00 PREC=0x00 TTL=33 ID=20689 DF PROTO=TCP SPT=2558 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Feb 17 08:12:15 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=95.102.170.179 DST=178.79.166.61 LEN=64 TOS=0x00 PREC=0x00 TTL=33 ID=21323 DF PROTO=TCP SPT=2558 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Feb 17 08:17:36 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.79.52.191 DST=178.79.166.61 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=57232 DF PROTO=TCP SPT=1760 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Feb 17 08:17:39 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.79.52.191 DST=178.79.166.61 LEN=64 TOS=0x00 PREC=0x00 TTL=37 ID=57610 DF PROTO=TCP SPT=1760 DPT=135 WINDOW=53760 RES=0x00 SYN URGP=0
Feb 17 08:52:06 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=178.83.16.176 DST=178.79.166.61 LEN=56 TOS=0x00 PREC=0x00 TTL=54 ID=31272 DF PROTO=TCP SPT=37127 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 17 08:56:50 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=29831 PROTO=UDP SPT=16474 DPT=551 LEN=41
Feb 17 08:56:51 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=29853 PROTO=UDP SPT=16474 DPT=551 LEN=41
Feb 17 08:56:54 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=29897 PROTO=UDP SPT=16474 DPT=551 LEN=41
Feb 17 08:57:00 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=29973 PROTO=UDP SPT=16474 DPT=551 LEN=41
Feb 17 08:58:27 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=31176 PROTO=UDP SPT=47599 DPT=551 LEN=41
Feb 17 08:58:28 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=31186 PROTO=UDP SPT=47599 DPT=551 LEN=41
Feb 17 08:58:31 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=31240 PROTO=UDP SPT=47599 DPT=551 LEN=41
Feb 17 08:58:37 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=31323 PROTO=UDP SPT=47599 DPT=551 LEN=41
Feb 17 09:01:16 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=95 TOS=0x00 PREC=0x00 TTL=115 ID=33257 PROTO=UDP SPT=36112 DPT=551 LEN=75
Feb 17 09:03:19 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=34623 PROTO=UDP SPT=11325 DPT=551 LEN=41
Feb 17 09:03:20 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=34626 PROTO=UDP SPT=11325 DPT=551 LEN=41
Feb 17 09:03:23 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=34660 PROTO=UDP SPT=11325 DPT=551 LEN=41
Feb 17 09:03:29 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.7.61 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=115 ID=34712 PROTO=UDP SPT=11325 DPT=551 LEN=41
Feb 17 09:16:38 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=44537 DF PROTO=TCP SPT=20349 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:16:41 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=44566 DF PROTO=TCP SPT=20349 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:16:47 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=44629 DF PROTO=TCP SPT=20349 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:17:46 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=175.181.106.193 DST=178.79.166.61 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=56947 DF PROTO=TCP SPT=1510 DPT=1080 WINDOW=512 RES=0x00 SYN URGP=0
Feb 17 09:17:52 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=7815 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:17:54 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=7847 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:17:57 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=7900 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:18:03 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=8061 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:19:34 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=46531 DF PROTO=TCP SPT=19992 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:19:34 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=10234 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:19:36 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=10263 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:19:37 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=46562 DF PROTO=TCP SPT=19992 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:19:39 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=10332 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:19:43 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=46626 DF PROTO=TCP SPT=19992 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:19:45 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=10452 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:20:23 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=95 TOS=0x00 PREC=0x00 TTL=117 ID=11311 PROTO=UDP SPT=12157 DPT=551 LEN=75
Feb 17 09:24:20 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50378 DF PROTO=TCP SPT=54088 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:24:23 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50411 DF PROTO=TCP SPT=54088 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:24:29 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=195.161.25.61 DST=178.79.166.61 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50480 DF PROTO=TCP SPT=54088 DPT=551 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 17 09:25:31 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=18150 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:25:33 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=18171 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:25:36 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=18227 PROTO=UDP SPT=12157 DPT=551 LEN=41
Feb 17 09:25:42 plato kernel: [UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:b2:4f:a6:3d:88:43:e1:a3:fa:7f:08:00 SRC=188.162.153.71 DST=178.79.166.61 LEN=61 TOS=0x00 PREC=0x00 TTL=117 ID=18333 PROTO=UDP SPT=12157 DPT=551 LEN=41

Can anyone tell me what they mean? Is someone doing a scan on my ports?

9 Replies

There is no Linode monitoring, so no.

Those are somewhat like an electric meter on a house. They report how much the node has consumed, but not what consumed it within the node or anything like that. (They also work with any OS, even non-Linux-based ones.)

It's iptables logging, so it goes through kernel logging and syslog, which have various ways to deal with crazy loggers. By default, ufw uses a 'low' logging level, which

> logs all blocked packets not matching the default policy (with rate limiting), as well as packets matching logged rules

So it shouldn't generally be logging a whole heck of a lot by default (if the default policy is 'deny' and there's no specifically-logged rules). It can, of course, be configured to the administrator's wishes.

It's the normal brute-force attack attempts that any Internet-connected host gets. In itself, no reason to be concerned. If you're interested in what services they're trying to connect to, look up the "DPT=###" port number on this list.

I thought it was some kind of monitoring from linode.

Do I have to enable anything in the firewall to enable linode monitoring?

And how do you get all the graphs in the linode manager then?

Wait, UFW logs every dropped packet, and it spends 244 bytes to log a dropped 40 byte packet? That seems excessive. That degree of amplification makes it trivially easy to max out the disk IO of a box running UFW, not to mention filling the disks incredibly fast.

Seems like a dumb move on UFW's part…

It wasn't the typical scenario I was thinking about, but the attack vector scenario. If somebody decides to send you a chunk of blocked traffic, your log files would fill up fast.

@Guspaz:

It wasn't the typical scenario I was thinking about, but the attack vector scenario. If somebody decides to send you a chunk of blocked traffic, your log files would fill up fast.
It may have been tuned a little differently in the latest version (I'm still on 8.04) but my ufw-generated LOG rules use rate-limiting (as hoopycat mentioned) with a limit of "avg 3/min burst 10", so it's not really going to log very much even with a targeted attack.

– David

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct