Flooded with firewall rules?
====
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:42:e4:37:bc:c8:4c:75:f5:c4:ff:08:00 SRC=71.34.61.229 DST=66.228.55.188 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=46032 DF PROTO=TCP SPT=2915 DPT=2222 WINDOW=16384 RES=0x00 SYN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:42:e4:37:bc:c8:4c:75:f5:c4:ff:08:00 SRC=110.82.208.111 DST=66.228.55.188 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=63687 DF PROTO=TCP SPT=3873 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:42:e4:37:bc:c8:4c:75:f5:c4:ff:08:00 SRC=110.82.208.111 DST=66.228.55.188 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=64210 DF PROTO=TCP SPT=3873 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
[UFW BLOCK] IN=eth0 OUT= MAC=fe:fd:42:e4:37:bc:c8:4c:75:f5:c4:ff:08:00 SRC=110.82.208.111 DST=66.228.55.188 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=65225 DF PROTO=TCP SPT=3873 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
====
Can anybody help me decipher what is going on here? Are we under attack, or is this something else? Whatever is going on prevents all web traffic, though I'm still able to SSH into the machine.
I know my way around the server fairly well, but I'm no expert especially with firewall config. I set it up on day one, and have not touched it since.
Any advice would be very appreciated, thanks.
5 Replies
Define "being flooded"… how many per second? What does "ufw status" say? (Does it say that HTTP is allowed?)
It doesn't look like an attack, and I can connect to port 80 on 66.228.55.188 just fine from here…
You can get to the server now, because I rebooted.
But the flood continues, and there are several new attempts once per second.
I am watching them come in live; one IP will make repeated attempts.
Then I block it in my iptables, they pause, and start back up with another ip. I block it, rinse and repeat.
I'm assuming I'm fighting an army of netbots of some sort, all of the IPs are completely different.
Short of sitting here fighting them off one-by-one, what I can do here?
Thanks!
==========================
pr 17 20:36:27 electricjet sshd[7816]: Failed password for root from 82.147.114.22 port 60619 ssh2
Apr 17 20:36:29 electricjet sshd[7818]: reverse mapping checking getaddrinfo for 22.114.147.82.nexcom.ru [82.147.114.22] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 17 20:36:29 electricjet sshd[7818]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.147.114.22 user=root
Apr 17 20:36:31 electricjet sshd[7818]: Failed password for root from 82.147.114.22 port 60774 ssh2
Apr 17 20:36:33 electricjet sshd[7820]: reverse mapping checking getaddrinfo for 22.114.147.82.nexcom.ru [82.147.114.22] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 17 20:36:33 electricjet sshd[7820]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.147.114.22 user=root
Apr 17 20:36:35 electricjet sshd[7820]: Failed password for root from 82.147.114.22 port 60931 ssh2
Apr 17 20:36:37 electricjet sshd[7822]: reverse mapping checking getaddrinfo for 22.114.147.82.nexcom.ru [82.147.114.22] failed - POSSIBLE BREAK-IN ATTEMPT!
===========================
I just banned the IP that shows up in the reverse mapping:
82.147.114.22
I'm kind of figuring all of this out on the fly here so if anybody has any good advice on how to stop this I'm all ears.
Edit:
Okay that worked for awhile, but they have started up again.
I also do something similar for Apache to block http requests from offending sites (a script which looks for phrases like phpmyadmin, proxyheader.php, etc in /var/log/apache2/error.log and adds a new DenyFrom entry to /var/www/.htaccess). Takes care of assaults on ssh and http(s) ports.