UFW logs showing suspicious activity
I am using UFW and have some rules in action.
My current status for the firewall is as the image below.
However, I noticed in the log files located at /var/log/ufw.log
that there are many incoming requests from IPs that I am not aware. And given the fact that this is a test server recently built, I suspect I am under attack as all the destination requests are heading to a certain IP address. Below is a sample of the log file.
Mar 5 6:25:35 backend1 kernel: SRC=14.184.171.85 DST=138.68.78.215
Mar 5 6:25:48 backend1 kernel: SRC=179.27.81.68 DST=138.68.78.215
Mar 5 6:25:51 backend1 kernel: SRC=104.255.70.247 DST=138.68.78.215
Mar 5 6:26:10 backend1 kernel: SRC=82.162.189.53 DST=138.68.78.215
Mar 5 6:27:01 backend1 kernel: SRC=111.78.66.156 DST=138.68.78.215
Mar 5 6:27:46 backend1 kernel: SRC=196.52.43.51 DST=138.68.78.215
Mar 5 6:29:27 backend1 kernel: SRC=24.41.189.148 DST=138.68.78.215
Mar 5 6:30:36 backend1 kernel: SRC=24.41.211.202 DST=138.68.78.215
Mar 5 6:33:22 backend1 kernel: SRC=80.82.70.26 DST=138.68.78.215
Mar 5 6:34:42 backend1 kernel: SRC=178.245.183.28 DST=138.68.78.215
Mar 5 6:38:26 backend1 kernel: SRC=221.194.44.229 DST=138.68.78.215
Mar 5 6:38:44 backend1 kernel: SRC=80.201.117.228 DST=138.68.78.215
Mar 5 6:39:40 backend1 kernel: SRC=177.135.11.3 DST=138.68.78.215
Mar 5 6:40:06 backend1 kernel: SRC=183.217.28.46 DST=138.68.78.215
Mar 5 6:40:48 backend1 kernel: SRC=110.77.72.212 DST=138.68.78.215
Mar 5 6:41:26 backend1 kernel: SRC=195.154.237.46 DST=138.68.78.215
Is this normal?
networking server iptables firewall ufw
|
show 1 more comment
I am using UFW and have some rules in action.
My current status for the firewall is as the image below.
However, I noticed in the log files located at /var/log/ufw.log
that there are many incoming requests from IPs that I am not aware. And given the fact that this is a test server recently built, I suspect I am under attack as all the destination requests are heading to a certain IP address. Below is a sample of the log file.
Mar 5 6:25:35 backend1 kernel: SRC=14.184.171.85 DST=138.68.78.215
Mar 5 6:25:48 backend1 kernel: SRC=179.27.81.68 DST=138.68.78.215
Mar 5 6:25:51 backend1 kernel: SRC=104.255.70.247 DST=138.68.78.215
Mar 5 6:26:10 backend1 kernel: SRC=82.162.189.53 DST=138.68.78.215
Mar 5 6:27:01 backend1 kernel: SRC=111.78.66.156 DST=138.68.78.215
Mar 5 6:27:46 backend1 kernel: SRC=196.52.43.51 DST=138.68.78.215
Mar 5 6:29:27 backend1 kernel: SRC=24.41.189.148 DST=138.68.78.215
Mar 5 6:30:36 backend1 kernel: SRC=24.41.211.202 DST=138.68.78.215
Mar 5 6:33:22 backend1 kernel: SRC=80.82.70.26 DST=138.68.78.215
Mar 5 6:34:42 backend1 kernel: SRC=178.245.183.28 DST=138.68.78.215
Mar 5 6:38:26 backend1 kernel: SRC=221.194.44.229 DST=138.68.78.215
Mar 5 6:38:44 backend1 kernel: SRC=80.201.117.228 DST=138.68.78.215
Mar 5 6:39:40 backend1 kernel: SRC=177.135.11.3 DST=138.68.78.215
Mar 5 6:40:06 backend1 kernel: SRC=183.217.28.46 DST=138.68.78.215
Mar 5 6:40:48 backend1 kernel: SRC=110.77.72.212 DST=138.68.78.215
Mar 5 6:41:26 backend1 kernel: SRC=195.154.237.46 DST=138.68.78.215
Is this normal?
networking server iptables firewall ufw
This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it
– Mark Kirby
Mar 8 '17 at 11:11
@MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.
– tony9099
Mar 8 '17 at 11:18
In that case, it may be better to ask them directly here digitalocean.com/community/questions
– Mark Kirby
Mar 8 '17 at 11:20
2
What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.
– Doug Smythies
Mar 8 '17 at 15:24
1
You could utilise tcpdump to at least get a better picture on the activitysudo tcpdump -i <interface> -X > /root/log.txt
should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.
– user633551
Mar 8 '17 at 16:17
|
show 1 more comment
I am using UFW and have some rules in action.
My current status for the firewall is as the image below.
However, I noticed in the log files located at /var/log/ufw.log
that there are many incoming requests from IPs that I am not aware. And given the fact that this is a test server recently built, I suspect I am under attack as all the destination requests are heading to a certain IP address. Below is a sample of the log file.
Mar 5 6:25:35 backend1 kernel: SRC=14.184.171.85 DST=138.68.78.215
Mar 5 6:25:48 backend1 kernel: SRC=179.27.81.68 DST=138.68.78.215
Mar 5 6:25:51 backend1 kernel: SRC=104.255.70.247 DST=138.68.78.215
Mar 5 6:26:10 backend1 kernel: SRC=82.162.189.53 DST=138.68.78.215
Mar 5 6:27:01 backend1 kernel: SRC=111.78.66.156 DST=138.68.78.215
Mar 5 6:27:46 backend1 kernel: SRC=196.52.43.51 DST=138.68.78.215
Mar 5 6:29:27 backend1 kernel: SRC=24.41.189.148 DST=138.68.78.215
Mar 5 6:30:36 backend1 kernel: SRC=24.41.211.202 DST=138.68.78.215
Mar 5 6:33:22 backend1 kernel: SRC=80.82.70.26 DST=138.68.78.215
Mar 5 6:34:42 backend1 kernel: SRC=178.245.183.28 DST=138.68.78.215
Mar 5 6:38:26 backend1 kernel: SRC=221.194.44.229 DST=138.68.78.215
Mar 5 6:38:44 backend1 kernel: SRC=80.201.117.228 DST=138.68.78.215
Mar 5 6:39:40 backend1 kernel: SRC=177.135.11.3 DST=138.68.78.215
Mar 5 6:40:06 backend1 kernel: SRC=183.217.28.46 DST=138.68.78.215
Mar 5 6:40:48 backend1 kernel: SRC=110.77.72.212 DST=138.68.78.215
Mar 5 6:41:26 backend1 kernel: SRC=195.154.237.46 DST=138.68.78.215
Is this normal?
networking server iptables firewall ufw
I am using UFW and have some rules in action.
My current status for the firewall is as the image below.
However, I noticed in the log files located at /var/log/ufw.log
that there are many incoming requests from IPs that I am not aware. And given the fact that this is a test server recently built, I suspect I am under attack as all the destination requests are heading to a certain IP address. Below is a sample of the log file.
Mar 5 6:25:35 backend1 kernel: SRC=14.184.171.85 DST=138.68.78.215
Mar 5 6:25:48 backend1 kernel: SRC=179.27.81.68 DST=138.68.78.215
Mar 5 6:25:51 backend1 kernel: SRC=104.255.70.247 DST=138.68.78.215
Mar 5 6:26:10 backend1 kernel: SRC=82.162.189.53 DST=138.68.78.215
Mar 5 6:27:01 backend1 kernel: SRC=111.78.66.156 DST=138.68.78.215
Mar 5 6:27:46 backend1 kernel: SRC=196.52.43.51 DST=138.68.78.215
Mar 5 6:29:27 backend1 kernel: SRC=24.41.189.148 DST=138.68.78.215
Mar 5 6:30:36 backend1 kernel: SRC=24.41.211.202 DST=138.68.78.215
Mar 5 6:33:22 backend1 kernel: SRC=80.82.70.26 DST=138.68.78.215
Mar 5 6:34:42 backend1 kernel: SRC=178.245.183.28 DST=138.68.78.215
Mar 5 6:38:26 backend1 kernel: SRC=221.194.44.229 DST=138.68.78.215
Mar 5 6:38:44 backend1 kernel: SRC=80.201.117.228 DST=138.68.78.215
Mar 5 6:39:40 backend1 kernel: SRC=177.135.11.3 DST=138.68.78.215
Mar 5 6:40:06 backend1 kernel: SRC=183.217.28.46 DST=138.68.78.215
Mar 5 6:40:48 backend1 kernel: SRC=110.77.72.212 DST=138.68.78.215
Mar 5 6:41:26 backend1 kernel: SRC=195.154.237.46 DST=138.68.78.215
Is this normal?
networking server iptables firewall ufw
networking server iptables firewall ufw
edited Mar 8 '17 at 11:14
tony9099
asked Mar 8 '17 at 11:04
tony9099tony9099
14516
14516
This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it
– Mark Kirby
Mar 8 '17 at 11:11
@MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.
– tony9099
Mar 8 '17 at 11:18
In that case, it may be better to ask them directly here digitalocean.com/community/questions
– Mark Kirby
Mar 8 '17 at 11:20
2
What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.
– Doug Smythies
Mar 8 '17 at 15:24
1
You could utilise tcpdump to at least get a better picture on the activitysudo tcpdump -i <interface> -X > /root/log.txt
should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.
– user633551
Mar 8 '17 at 16:17
|
show 1 more comment
This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it
– Mark Kirby
Mar 8 '17 at 11:11
@MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.
– tony9099
Mar 8 '17 at 11:18
In that case, it may be better to ask them directly here digitalocean.com/community/questions
– Mark Kirby
Mar 8 '17 at 11:20
2
What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.
– Doug Smythies
Mar 8 '17 at 15:24
1
You could utilise tcpdump to at least get a better picture on the activitysudo tcpdump -i <interface> -X > /root/log.txt
should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.
– user633551
Mar 8 '17 at 16:17
This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it
– Mark Kirby
Mar 8 '17 at 11:11
This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it
– Mark Kirby
Mar 8 '17 at 11:11
@MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.
– tony9099
Mar 8 '17 at 11:18
@MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.
– tony9099
Mar 8 '17 at 11:18
In that case, it may be better to ask them directly here digitalocean.com/community/questions
– Mark Kirby
Mar 8 '17 at 11:20
In that case, it may be better to ask them directly here digitalocean.com/community/questions
– Mark Kirby
Mar 8 '17 at 11:20
2
2
What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.
– Doug Smythies
Mar 8 '17 at 15:24
What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.
– Doug Smythies
Mar 8 '17 at 15:24
1
1
You could utilise tcpdump to at least get a better picture on the activity
sudo tcpdump -i <interface> -X > /root/log.txt
should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.– user633551
Mar 8 '17 at 16:17
You could utilise tcpdump to at least get a better picture on the activity
sudo tcpdump -i <interface> -X > /root/log.txt
should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.– user633551
Mar 8 '17 at 16:17
|
show 1 more comment
1 Answer
1
active
oldest
votes
Yes, it's normal.
It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.
Either ignore it, or if it bothers you, set up a tool like fail2ban
to drop brute force attempts.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f890857%2fufw-logs-showing-suspicious-activity%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes, it's normal.
It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.
Either ignore it, or if it bothers you, set up a tool like fail2ban
to drop brute force attempts.
add a comment |
Yes, it's normal.
It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.
Either ignore it, or if it bothers you, set up a tool like fail2ban
to drop brute force attempts.
add a comment |
Yes, it's normal.
It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.
Either ignore it, or if it bothers you, set up a tool like fail2ban
to drop brute force attempts.
Yes, it's normal.
It is the background noise of being connected to the internet. There's bots that scan for vulnerabilities, probe passwords of ssh-servers, and there's network scanners continuously mapping the internet. There's researchers gathering data, and there's search engines mapping open ports on internet connected machines.
Either ignore it, or if it bothers you, set up a tool like fail2ban
to drop brute force attempts.
answered Mar 9 at 10:56
vidarlovidarlo
10.9k52750
10.9k52750
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f890857%2fufw-logs-showing-suspicious-activity%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
This is what that IP belongs to db-ip.com/138.68.78.215 it is not normal, if you have no association with Digital Ocean, block it
– Mark Kirby
Mar 8 '17 at 11:11
@MarkKirby, I have association with the address, but I am worried about the huge number of requests coming from unknown addresses.
– tony9099
Mar 8 '17 at 11:18
In that case, it may be better to ask them directly here digitalocean.com/community/questions
– Mark Kirby
Mar 8 '17 at 11:20
2
What you are observing is normal. Any externally facing device will always be probed by a variety of bad people wanting to do bad stuff.
– Doug Smythies
Mar 8 '17 at 15:24
1
You could utilise tcpdump to at least get a better picture on the activity
sudo tcpdump -i <interface> -X > /root/log.txt
should do the trick. For more....man tcpdump. Might also be a good idea to install both network based and host based IDS.– user633551
Mar 8 '17 at 16:17