UFW logs showing suspicious activity












4















I am using UFW and have some rules in action.
My current status for the firewall is as the image below.



ufw



However, I noticed in the log files located at /var/log/ufw.log that there are many incoming requests from IPs that I am not aware. And given the fact that this is a test server recently built, I suspect I am under attack as all the destination requests are heading to a certain IP address. Below is a sample of the log file.



Mar 5   6:25:35 backend1    kernel: SRC=14.184.171.85   DST=138.68.78.215
Mar 5 6:25:48 backend1 kernel: SRC=179.27.81.68 DST=138.68.78.215
Mar 5 6:25:51 backend1 kernel: SRC=104.255.70.247 DST=138.68.78.215
Mar 5 6:26:10 backend1 kernel: SRC=82.162.189.53 DST=138.68.78.215
Mar 5 6:27:01 backend1 kernel: SRC=111.78.66.156 DST=138.68.78.215
Mar 5 6:27:46 backend1 kernel: SRC=196.52.43.51 DST=138.68.78.215
Mar 5 6:29:27 backend1 kernel: SRC=24.41.189.148 DST=138.68.78.215
Mar 5 6:30:36 backend1 kernel: SRC=24.41.211.202 DST=138.68.78.215
Mar 5 6:33:22 backend1 kernel: SRC=80.82.70.26 DST=138.68.78.215
Mar 5 6:34:42 backend1 kernel: SRC=178.245.183.28 DST=138.68.78.215
Mar 5 6:38:26 backend1 kernel: SRC=221.194.44.229 DST=138.68.78.215
Mar 5 6:38:44 backend1 kernel: SRC=80.201.117.228 DST=138.68.78.215
Mar 5 6:39:40 backend1 kernel: SRC=177.135.11.3 DST=138.68.78.215
Mar 5 6:40:06 backend1 kernel: SRC=183.217.28.46 DST=138.68.78.215
Mar 5 6:40:48 backend1 kernel: SRC=110.77.72.212 DST=138.68.78.215
Mar 5 6:41:26 backend1 kernel: SRC=195.154.237.46 DST=138.68.78.215


Is this normal?










share|improve this question

























  • This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it

    – Mark Kirby
    Mar 8 '17 at 11:11











  • @MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.

    – tony9099
    Mar 8 '17 at 11:18











  • In that case, it may be better to ask them directly here digitalocean.com/community/questions

    – Mark Kirby
    Mar 8 '17 at 11:20






  • 2





    What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.

    – Doug Smythies
    Mar 8 '17 at 15:24






  • 1





    You could utilise tcpdump to at least get a better picture on the activity sudo tcpdump -i <interface> -X > /root/log.txt should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.

    – user633551
    Mar 8 '17 at 16:17
















4















I am using UFW and have some rules in action.
My current status for the firewall is as the image below.



ufw



However, I noticed in the log files located at /var/log/ufw.log that there are many incoming requests from IPs that I am not aware. And given the fact that this is a test server recently built, I suspect I am under attack as all the destination requests are heading to a certain IP address. Below is a sample of the log file.



Mar 5   6:25:35 backend1    kernel: SRC=14.184.171.85   DST=138.68.78.215
Mar 5 6:25:48 backend1 kernel: SRC=179.27.81.68 DST=138.68.78.215
Mar 5 6:25:51 backend1 kernel: SRC=104.255.70.247 DST=138.68.78.215
Mar 5 6:26:10 backend1 kernel: SRC=82.162.189.53 DST=138.68.78.215
Mar 5 6:27:01 backend1 kernel: SRC=111.78.66.156 DST=138.68.78.215
Mar 5 6:27:46 backend1 kernel: SRC=196.52.43.51 DST=138.68.78.215
Mar 5 6:29:27 backend1 kernel: SRC=24.41.189.148 DST=138.68.78.215
Mar 5 6:30:36 backend1 kernel: SRC=24.41.211.202 DST=138.68.78.215
Mar 5 6:33:22 backend1 kernel: SRC=80.82.70.26 DST=138.68.78.215
Mar 5 6:34:42 backend1 kernel: SRC=178.245.183.28 DST=138.68.78.215
Mar 5 6:38:26 backend1 kernel: SRC=221.194.44.229 DST=138.68.78.215
Mar 5 6:38:44 backend1 kernel: SRC=80.201.117.228 DST=138.68.78.215
Mar 5 6:39:40 backend1 kernel: SRC=177.135.11.3 DST=138.68.78.215
Mar 5 6:40:06 backend1 kernel: SRC=183.217.28.46 DST=138.68.78.215
Mar 5 6:40:48 backend1 kernel: SRC=110.77.72.212 DST=138.68.78.215
Mar 5 6:41:26 backend1 kernel: SRC=195.154.237.46 DST=138.68.78.215


Is this normal?










share|improve this question

























  • This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it

    – Mark Kirby
    Mar 8 '17 at 11:11











  • @MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.

    – tony9099
    Mar 8 '17 at 11:18











  • In that case, it may be better to ask them directly here digitalocean.com/community/questions

    – Mark Kirby
    Mar 8 '17 at 11:20






  • 2





    What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.

    – Doug Smythies
    Mar 8 '17 at 15:24






  • 1





    You could utilise tcpdump to at least get a better picture on the activity sudo tcpdump -i <interface> -X > /root/log.txt should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.

    – user633551
    Mar 8 '17 at 16:17














4












4








4








I am using UFW and have some rules in action.
My current status for the firewall is as the image below.



ufw



However, I noticed in the log files located at /var/log/ufw.log that there are many incoming requests from IPs that I am not aware. And given the fact that this is a test server recently built, I suspect I am under attack as all the destination requests are heading to a certain IP address. Below is a sample of the log file.



Mar 5   6:25:35 backend1    kernel: SRC=14.184.171.85   DST=138.68.78.215
Mar 5 6:25:48 backend1 kernel: SRC=179.27.81.68 DST=138.68.78.215
Mar 5 6:25:51 backend1 kernel: SRC=104.255.70.247 DST=138.68.78.215
Mar 5 6:26:10 backend1 kernel: SRC=82.162.189.53 DST=138.68.78.215
Mar 5 6:27:01 backend1 kernel: SRC=111.78.66.156 DST=138.68.78.215
Mar 5 6:27:46 backend1 kernel: SRC=196.52.43.51 DST=138.68.78.215
Mar 5 6:29:27 backend1 kernel: SRC=24.41.189.148 DST=138.68.78.215
Mar 5 6:30:36 backend1 kernel: SRC=24.41.211.202 DST=138.68.78.215
Mar 5 6:33:22 backend1 kernel: SRC=80.82.70.26 DST=138.68.78.215
Mar 5 6:34:42 backend1 kernel: SRC=178.245.183.28 DST=138.68.78.215
Mar 5 6:38:26 backend1 kernel: SRC=221.194.44.229 DST=138.68.78.215
Mar 5 6:38:44 backend1 kernel: SRC=80.201.117.228 DST=138.68.78.215
Mar 5 6:39:40 backend1 kernel: SRC=177.135.11.3 DST=138.68.78.215
Mar 5 6:40:06 backend1 kernel: SRC=183.217.28.46 DST=138.68.78.215
Mar 5 6:40:48 backend1 kernel: SRC=110.77.72.212 DST=138.68.78.215
Mar 5 6:41:26 backend1 kernel: SRC=195.154.237.46 DST=138.68.78.215


Is this normal?










share|improve this question
















I am using UFW and have some rules in action.
My current status for the firewall is as the image below.



ufw



However, I noticed in the log files located at /var/log/ufw.log that there are many incoming requests from IPs that I am not aware. And given the fact that this is a test server recently built, I suspect I am under attack as all the destination requests are heading to a certain IP address. Below is a sample of the log file.



Mar 5   6:25:35 backend1    kernel: SRC=14.184.171.85   DST=138.68.78.215
Mar 5 6:25:48 backend1 kernel: SRC=179.27.81.68 DST=138.68.78.215
Mar 5 6:25:51 backend1 kernel: SRC=104.255.70.247 DST=138.68.78.215
Mar 5 6:26:10 backend1 kernel: SRC=82.162.189.53 DST=138.68.78.215
Mar 5 6:27:01 backend1 kernel: SRC=111.78.66.156 DST=138.68.78.215
Mar 5 6:27:46 backend1 kernel: SRC=196.52.43.51 DST=138.68.78.215
Mar 5 6:29:27 backend1 kernel: SRC=24.41.189.148 DST=138.68.78.215
Mar 5 6:30:36 backend1 kernel: SRC=24.41.211.202 DST=138.68.78.215
Mar 5 6:33:22 backend1 kernel: SRC=80.82.70.26 DST=138.68.78.215
Mar 5 6:34:42 backend1 kernel: SRC=178.245.183.28 DST=138.68.78.215
Mar 5 6:38:26 backend1 kernel: SRC=221.194.44.229 DST=138.68.78.215
Mar 5 6:38:44 backend1 kernel: SRC=80.201.117.228 DST=138.68.78.215
Mar 5 6:39:40 backend1 kernel: SRC=177.135.11.3 DST=138.68.78.215
Mar 5 6:40:06 backend1 kernel: SRC=183.217.28.46 DST=138.68.78.215
Mar 5 6:40:48 backend1 kernel: SRC=110.77.72.212 DST=138.68.78.215
Mar 5 6:41:26 backend1 kernel: SRC=195.154.237.46 DST=138.68.78.215


Is this normal?







networking server iptables firewall ufw






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 8 '17 at 11:14







tony9099

















asked Mar 8 '17 at 11:04









tony9099tony9099

14516




14516













  • This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it

    – Mark Kirby
    Mar 8 '17 at 11:11











  • @MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.

    – tony9099
    Mar 8 '17 at 11:18











  • In that case, it may be better to ask them directly here digitalocean.com/community/questions

    – Mark Kirby
    Mar 8 '17 at 11:20






  • 2





    What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.

    – Doug Smythies
    Mar 8 '17 at 15:24






  • 1





    You could utilise tcpdump to at least get a better picture on the activity sudo tcpdump -i <interface> -X > /root/log.txt should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.

    – user633551
    Mar 8 '17 at 16:17



















  • This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it

    – Mark Kirby
    Mar 8 '17 at 11:11











  • @MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.

    – tony9099
    Mar 8 '17 at 11:18











  • In that case, it may be better to ask them directly here digitalocean.com/community/questions

    – Mark Kirby
    Mar 8 '17 at 11:20






  • 2





    What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.

    – Doug Smythies
    Mar 8 '17 at 15:24






  • 1





    You could utilise tcpdump to at least get a better picture on the activity sudo tcpdump -i <interface> -X > /root/log.txt should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.

    – user633551
    Mar 8 '17 at 16:17

















This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it

– Mark Kirby
Mar 8 '17 at 11:11





This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it

– Mark Kirby
Mar 8 '17 at 11:11













@MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.

– tony9099
Mar 8 '17 at 11:18





@MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.

– tony9099
Mar 8 '17 at 11:18













In that case, it may be better to ask them directly here digitalocean.com/community/questions

– Mark Kirby
Mar 8 '17 at 11:20





In that case, it may be better to ask them directly here digitalocean.com/community/questions

– Mark Kirby
Mar 8 '17 at 11:20




2




2





What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.

– Doug Smythies
Mar 8 '17 at 15:24





What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.

– Doug Smythies
Mar 8 '17 at 15:24




1




1





You could utilise tcpdump to at least get a better picture on the activity sudo tcpdump -i <interface> -X > /root/log.txt should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.

– user633551
Mar 8 '17 at 16:17





You could utilise tcpdump to at least get a better picture on the activity sudo tcpdump -i <interface> -X > /root/log.txt should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.

– user633551
Mar 8 '17 at 16:17










1 Answer
1






active

oldest

votes


















0














Yes, it's normal.



It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.



Either ignore it, or if it bothers you, set up a tool like fail2ban to drop brute force attempts.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f890857%2fufw-logs-showing-suspicious-activity%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Yes, it's normal.



    It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.



    Either ignore it, or if it bothers you, set up a tool like fail2ban to drop brute force attempts.






    share|improve this answer




























      0














      Yes, it's normal.



      It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.



      Either ignore it, or if it bothers you, set up a tool like fail2ban to drop brute force attempts.






      share|improve this answer


























        0












        0








        0







        Yes, it's normal.



        It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.



        Either ignore it, or if it bothers you, set up a tool like fail2ban to drop brute force attempts.






        share|improve this answer













        Yes, it's normal.



        It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.



        Either ignore it, or if it bothers you, set up a tool like fail2ban to drop brute force attempts.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 9 at 10:56









        vidarlovidarlo

        10.9k52750




        10.9k52750






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f890857%2fufw-logs-showing-suspicious-activity%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            數位音樂下載

            When can things happen in Etherscan, such as the picture below?

            格利澤436b