Should I be concerned about these UFW blocked traffic?

William Oliver

10/6/23, 2:34 PM

I just installed ufw on a newly provisioned Ubuntu 22.04 Server. It is currently set up to deny all traffic except ssh on an alternate port.

I'm getting this pattern of blocked traffic:

Oct  6 10:09:57 mydomain kernel: [  285.236376] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=92.63.197.132 DST=[myIPaddress] LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=14422 PROTO=TCP SPT=41554 DPT=8342 WINDOW=1024 RES=0x00 SYN URGP=0

Oct  6 10:09:59 mydomain kernel: [  288.030708] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=94.102.61.54 DST=[myIPaddress] LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=54321 PROTO=TCP SPT=45096 DPT=8009 WINDOW=65535 RES=0x00 SYN URGP=0

Oct  6 10:10:02 mydomain kernel: [  290.525994] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=79.124.62.130 DST=[myIPaddress] LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=36979 PROTO=TCP SPT=48053 DPT=19228 WINDOW=1024 RES=0x00 SYN URGP=0

Oct  6 10:10:02 mydomain kernel: [  290.598393] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=89.248.165.81 DST=[myIPaddress] LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=49209 PROTO=TCP SPT=48371 DPT=64550 WINDOW=1024 RES=0x00 SYN URGP=0

Oct  6 10:10:49 mydomain kernel: [  337.292993] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=89.248.165.81 DST=[myIPaddress] LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=15521 PROTO=TCP SPT=48371 DPT=62877 WINDOW=1024 RES=0x00 SYN URGP=0

Oct  6 10:10:49 mydomain kernel: [  338.090491] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=92.63.197.162 DST=[myIPaddress] LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=28322 PROTO=TCP SPT=42020 DPT=52091 WINDOW=1024 RES=0x00 SYN URGP=0

Oct  6 10:11:19 mydomain kernel: [  367.589701] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=89.248.165.81 DST=[myIPaddress] LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=47367 PROTO=TCP SPT=48371 DPT=57980 WINDOW=1024 RES=0x00 SYN URGP=0

Oct  6 10:11:43 mydomain kernel: [  391.720876] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=47.107.179.63 DST=[myIPaddress] LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=54675 PROTO=TCP SPT=45277 DPT=2376 WINDOW=1024 RES=0x00 SYN URGP=0

Oct  6 10:12:02 mydomain kernel: [  411.138772] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=104.219.250.45 DST=[myIPaddress] LEN=40 TOS=0x08 PREC=0x20 TTL=241 ID=23681 PROTO=TCP SPT=44073 DPT=5418 WINDOW=1024 RES=0x00 SYN URGP=0

Oct  6 10:12:03 mydomain kernel: [  411.839510] [UFW BLOCK] IN=eth0 OUT= MAC=[myMACaddress] SRC=71.6.146.185 DST=[myIPaddress] LEN=44 TOS=0x08 PREC=0x40 TTL=111 ID=5477 PROTO=TCP SPT=12420 DPT=6653 WINDOW=48762 RES=0x00 SYN URGP=0

and on and on

It looks like random places are pinging random high number ports and I don't know why. Is this something I should be concerned about, a well known random bot attack script pattern I just have to live with, or is it some normal internet behavior?

504

1 + 3

iptables

firewall

ufw

David

10/6/23, 2:41 PM

https://www.abuseipdb.com/whois/92.63.197.132

Organic Marble

10/6/23, 3:29 PM

If you have a server with ports open to the internet at large it's like having a house where hundreds or thousands of times a day criminals and evil robots come to your front door and turn the knob to see if it's locked.

William Oliver

10/6/23, 11:29 PM

Thanks. I was just surprised at the constant pounding. As I noted below, I have another server that hast the occasional brute force attack, but not this constant drip drip drip of attempts. Thanks for the quick reply.

Score:2

Ubuntu

user535733

10/6/23, 2:53 PM

That output looks like a fairly typical amount of crooks, vandals, and other shady types trying to randomly penetrate vulnerable systems.

This is why we recommend ssh keys instead of passwords, auditing your open ports, and other basic security measures.

+ 1

William Oliver

10/6/23, 3:01 PM

Thanks. I have another server that doesn't have this problem, so I was struck by the difference in my ufw logs. It must be living in a bad ip neighborhood.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Should I be concerned about these UFW blocked traffic?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.