LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-05-2014, 08:48 PM   #1
mryemeni
LQ Newbie
 
Registered: Feb 2014
Posts: 2

Rep: Reputation: Disabled
Help Me!! UFW blocking weird IPs?


Hello guys, I was checking on my log viewer and noticed that UFW is blocking alot of IPs!!!
alot of them and they keep comeing and comeing, I don't know alot about security so I need help, am I under attack of some sort?!
I have qBittorrent installed but even when I closed it the blocking keeps on and on!

this is a sample of the log viewer

Code:
Feb  6 05:39:02  CRON[30920]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)
Feb  6 05:39:03  kernel: [319683.840346] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=108.13.33.151 DST=192.168.1.2 LEN=134 TOS=0x00 PREC=0x00 TTL=119 ID=29835 PROTO=UDP SPT=52123 DPT=6881 LEN=114 
Feb  6 05:39:23  kernel: [319704.354745] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=62.5.129.43 DST=192.168.1.2 LEN=129 TOS=0x00 PREC=0x20 TTL=108 ID=12814 PROTO=UDP SPT=56512 DPT=6881 LEN=109 
Feb  6 05:39:43  kernel: [319724.342639] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=88.176.246.119 DST=192.168.1.2 LEN=131 TOS=0x00 PREC=0x00 TTL=114 ID=4366 PROTO=UDP SPT=11447 DPT=6881 LEN=111 
Feb  6 05:40:03  kernel: [319743.918348] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=87.117.144.247 DST=192.168.1.2 LEN=145 TOS=0x00 PREC=0x00 TTL=115 ID=20055 PROTO=UDP SPT=54265 DPT=6881 LEN=125 
Feb  6 05:40:24  kernel: [319765.118671] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=86.58.65.31 DST=192.168.1.2 LEN=134 TOS=0x00 PREC=0x00 TTL=116 ID=7844 PROTO=UDP SPT=31370 DPT=6881 LEN=114 
Feb  6 05:40:44  kernel: [319784.416003] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=137.44.116.190 DST=192.168.1.2 LEN=134 TOS=0x00 PREC=0x00 TTL=106 ID=3663 PROTO=UDP SPT=22548 DPT=6881 LEN=114 
Feb  6 05:41:12  kernel: [319812.433248] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=178.212.198.219 DST=192.168.1.2 LEN=131 TOS=0x00 PREC=0x00 TTL=52 ID=64946 PROTO=UDP SPT=21179 DPT=6881 LEN=111 
Feb  6 05:41:23  kernel: [319823.985850] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=139.218.179.102 DST=192.168.1.2 LEN=134 TOS=0x00 PREC=0x00 TTL=110 ID=28763 PROTO=UDP SPT=10911 DPT=6881 LEN=114 
Feb  6 05:41:43  kernel: [319844.174370] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=46.138.201.144 DST=192.168.1.2 LEN=129 TOS=0x00 PREC=0x20 TTL=50 ID=2762 PROTO=UDP SPT=20719 DPT=6881 LEN=109 
Feb  6 05:42:11  kernel: [319871.400059] [UFW BLOCK] IN=eth0 OUT= MAC=00:23:ae:a8:a1:32:b0:48:7a:a3:3f:a5:08:00 SRC=84.212.251.143 DST=192.168.1.2 LEN=134 TOS=0x00 PREC=0x00 TTL=118 ID=4719 PROTO=UDP SPT=49621 DPT=6881 LEN=114
Thanks in advance.

Last edited by mryemeni; 02-05-2014 at 08:59 PM.
 
Old 02-06-2014, 03:52 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,488

Rep: Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558Reputation: 1558
Well a quick search for port 6881 shows that it's a common listening port for Bittorrent, so the traffic is related to that.

At a guess your ip is "out there" and these UDP packets are other computers checking to see if you are still there.
 
Old 02-06-2014, 07:07 AM   #3
pingwinowiewc
Member
 
Registered: Feb 2014
Location: Europe
Distribution: Debian, Mint, Arch (multiboot)
Posts: 90

Rep: Reputation: Disabled
and as such should be blocked. so your fw is doing well
 
Old 02-06-2014, 12:33 PM   #4
mryemeni
LQ Newbie
 
Registered: Feb 2014
Posts: 2

Original Poster
Rep: Reputation: Disabled
I think you are right TenTenths!

Thanks a lot
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables blocking all ips except US & US Amazon. Can't log dropped IPs. mcginlej Linux - Networking 3 10-08-2013 12:18 PM
UFW blocking certain incoming requests and not sure why smells_of_elderberries Linux - Security 10 04-02-2013 06:19 PM
blocking ips jeff80 Linux - Newbie 4 06-27-2008 08:27 PM
Blocking IPs bluelaguna Linux - Security 2 05-28-2004 02:08 PM
Blocking IPS clanehleader Linux - Security 2 09-01-2003 10:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration