Search code examples
ubuntuserverfirewallufw

High number of blocked incoming requests on ephemeral ports

I am seeing a high number of blocked requests on my UFW firewall. I initially thought this was due to port scanning, but I think this is responses to some service sending requests.

How could I find out which service this is and what the requests are about? Here is a selection of the logs:

Feb  1 11:09:03 ... kernel: [774832.138810] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=94.102.49.112 DST=MYIP LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=21247 PROTO=TCP SPT=49734 DPT=18133 WINDOW=1024 RES=0x00 SYN URGP=0
Feb  1 11:09:27 ... kernel: [774855.657944] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=146.88.240.4 DST=MYIP LEN=76 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=UDP SPT=48325 DPT=123 LEN=56
Feb  1 11:10:14 ... kernel: [774903.158117] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=89.248.168.41 DST=MYIP LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=787 PROTO=TCP SPT=47977 DPT=2435 WINDOW=1024 RES=0x00 SYN URGP=0
Feb  1 11:10:30 ... kernel: [774918.997471] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=178.128.114.248 DST=MYIP LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=30799 PROTO=TCP SPT=32767 DPT=8545 WINDOW=1024 RES=0x00 SYN URGP=0
Feb  1 11:10:30 ... kernel: [774919.036015] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=173.76.38.236 DST=MYIP 
LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=60924 PROTO=TCP SPT=65162 DPT=23 WINDOW=51386 RES=0x00 SYN URGP=0
Feb  1 11:10:42 ... kernel: [774930.832547] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=94.102.56.215 DST=MYIP LEN=57 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=UDP SPT=59165 DPT=7941 LEN=37
Feb  1 11:10:50 ... kernel: [774938.661701] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=80.82.65.90 DST=MYIP LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=55973 PROTO=TCP SPT=59837 DPT=4227 WINDOW=1024 RES=0x00 SYN URGP=0
Feb  1 11:10:58 ... kernel: [774946.480311] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=93.174.95.110 DST=MYIP LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=8311 PROTO=TCP SPT=47917 DPT=8256 WINDOW=1024 RES=0x00 SYN URGP=0
Feb  1 11:11:20 ... kernel: [774969.227536] [UFW BLOCK] IN=eth0 OUT= MAC=... SRC=93.174.93.33 DST=MYIP LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=31038 PROTO=TCP SPT=59487 DPT=33169 WINDOW=1024 RES=0x00 SYN URGP=0

I have configured UFW to only allow used ports, all others are closed.

Solution

  • It turns out, that these requests are actually due to portscanning. I compared a bunch of the listed IPs with Abuseip's database, they all are known offenders.