UFW BLOCK entries in the log












1















I have a lot of these entries in my log:



Sep 22 12:20:23 server0187 kernel: [    7.267934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:23 server0187 kernel: [ 7.688848] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:24 server0187 kernel: [ 7.992988] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:32 server0187 kernel: [ 16.219594] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=52457 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:39 server0187 kernel: [ 23.217712] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:40 server0187 kernel: [ 24.130220] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:44 server0187 kernel: [ 28.063447] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33267 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:45 server0187 kernel: [ 29.063934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33268 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:47 server0187 kernel: [ 31.063621] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33269 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.272558] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.667044] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:08 server0187 kernel: [ 52.296316] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=22917 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:39 server0187 kernel: [ 83.646607] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=151.233.57.112 DST=se.rv.er.ip LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=56703 PROTO=TCP SPT=25625 DPT=23 WINDOW=30217 RES=0x00 SYN URGP=0


my ufw rules is pretty standard:



22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
80,443/tcp (Nginx Full) ALLOW IN Anywhere
80,443/tcp ALLOW IN Anywhere
25 ALLOW IN Anywhere
143 ALLOW IN Anywhere
993 ALLOW IN Anywhere
22 ALLOW IN Anywhere
21 ALLOW IN Anywhere
21/tcp ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (v6) ALLOW IN Anywhere (v6)
25 (v6) ALLOW IN Anywhere (v6)
143 (v6) ALLOW IN Anywhere (v6)
993 (v6) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
21 (v6) ALLOW IN Anywhere (v6)
21/tcp (v6) ALLOW IN Anywhere (v6)


How do I get rid of these?










share|improve this question























  • Any particular reason you don't want it notifying about traffic being blocked?

    – Thomas Ward
    Sep 22 '16 at 12:32











  • @ThomasWard I'm just not sure what its about and should I be concerned cause they appear a few times in the log.

    – Nimbuz
    Sep 22 '16 at 12:33













  • @ThomasWard There're LOTs of these entries in all logs thats why I'm worried.

    – Nimbuz
    Sep 22 '16 at 13:10
















1















I have a lot of these entries in my log:



Sep 22 12:20:23 server0187 kernel: [    7.267934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:23 server0187 kernel: [ 7.688848] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:24 server0187 kernel: [ 7.992988] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:32 server0187 kernel: [ 16.219594] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=52457 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:39 server0187 kernel: [ 23.217712] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:40 server0187 kernel: [ 24.130220] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:44 server0187 kernel: [ 28.063447] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33267 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:45 server0187 kernel: [ 29.063934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33268 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:47 server0187 kernel: [ 31.063621] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33269 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.272558] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.667044] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:08 server0187 kernel: [ 52.296316] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=22917 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:39 server0187 kernel: [ 83.646607] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=151.233.57.112 DST=se.rv.er.ip LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=56703 PROTO=TCP SPT=25625 DPT=23 WINDOW=30217 RES=0x00 SYN URGP=0


my ufw rules is pretty standard:



22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
80,443/tcp (Nginx Full) ALLOW IN Anywhere
80,443/tcp ALLOW IN Anywhere
25 ALLOW IN Anywhere
143 ALLOW IN Anywhere
993 ALLOW IN Anywhere
22 ALLOW IN Anywhere
21 ALLOW IN Anywhere
21/tcp ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (v6) ALLOW IN Anywhere (v6)
25 (v6) ALLOW IN Anywhere (v6)
143 (v6) ALLOW IN Anywhere (v6)
993 (v6) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
21 (v6) ALLOW IN Anywhere (v6)
21/tcp (v6) ALLOW IN Anywhere (v6)


How do I get rid of these?










share|improve this question























  • Any particular reason you don't want it notifying about traffic being blocked?

    – Thomas Ward
    Sep 22 '16 at 12:32











  • @ThomasWard I'm just not sure what its about and should I be concerned cause they appear a few times in the log.

    – Nimbuz
    Sep 22 '16 at 12:33













  • @ThomasWard There're LOTs of these entries in all logs thats why I'm worried.

    – Nimbuz
    Sep 22 '16 at 13:10














1












1








1


1






I have a lot of these entries in my log:



Sep 22 12:20:23 server0187 kernel: [    7.267934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:23 server0187 kernel: [ 7.688848] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:24 server0187 kernel: [ 7.992988] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:32 server0187 kernel: [ 16.219594] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=52457 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:39 server0187 kernel: [ 23.217712] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:40 server0187 kernel: [ 24.130220] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:44 server0187 kernel: [ 28.063447] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33267 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:45 server0187 kernel: [ 29.063934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33268 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:47 server0187 kernel: [ 31.063621] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33269 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.272558] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.667044] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:08 server0187 kernel: [ 52.296316] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=22917 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:39 server0187 kernel: [ 83.646607] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=151.233.57.112 DST=se.rv.er.ip LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=56703 PROTO=TCP SPT=25625 DPT=23 WINDOW=30217 RES=0x00 SYN URGP=0


my ufw rules is pretty standard:



22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
80,443/tcp (Nginx Full) ALLOW IN Anywhere
80,443/tcp ALLOW IN Anywhere
25 ALLOW IN Anywhere
143 ALLOW IN Anywhere
993 ALLOW IN Anywhere
22 ALLOW IN Anywhere
21 ALLOW IN Anywhere
21/tcp ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (v6) ALLOW IN Anywhere (v6)
25 (v6) ALLOW IN Anywhere (v6)
143 (v6) ALLOW IN Anywhere (v6)
993 (v6) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
21 (v6) ALLOW IN Anywhere (v6)
21/tcp (v6) ALLOW IN Anywhere (v6)


How do I get rid of these?










share|improve this question














I have a lot of these entries in my log:



Sep 22 12:20:23 server0187 kernel: [    7.267934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:23 server0187 kernel: [ 7.688848] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:24 server0187 kernel: [ 7.992988] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:32 server0187 kernel: [ 16.219594] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=52457 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:39 server0187 kernel: [ 23.217712] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:40 server0187 kernel: [ 24.130220] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:44 server0187 kernel: [ 28.063447] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33267 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:45 server0187 kernel: [ 29.063934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33268 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:47 server0187 kernel: [ 31.063621] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33269 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.272558] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.667044] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:08 server0187 kernel: [ 52.296316] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=22917 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:39 server0187 kernel: [ 83.646607] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=151.233.57.112 DST=se.rv.er.ip LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=56703 PROTO=TCP SPT=25625 DPT=23 WINDOW=30217 RES=0x00 SYN URGP=0


my ufw rules is pretty standard:



22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
80,443/tcp (Nginx Full) ALLOW IN Anywhere
80,443/tcp ALLOW IN Anywhere
25 ALLOW IN Anywhere
143 ALLOW IN Anywhere
993 ALLOW IN Anywhere
22 ALLOW IN Anywhere
21 ALLOW IN Anywhere
21/tcp ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (v6) ALLOW IN Anywhere (v6)
25 (v6) ALLOW IN Anywhere (v6)
143 (v6) ALLOW IN Anywhere (v6)
993 (v6) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
21 (v6) ALLOW IN Anywhere (v6)
21/tcp (v6) ALLOW IN Anywhere (v6)


How do I get rid of these?







firewall ufw






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Sep 22 '16 at 12:26









NimbuzNimbuz

10614




10614













  • Any particular reason you don't want it notifying about traffic being blocked?

    – Thomas Ward
    Sep 22 '16 at 12:32











  • @ThomasWard I'm just not sure what its about and should I be concerned cause they appear a few times in the log.

    – Nimbuz
    Sep 22 '16 at 12:33













  • @ThomasWard There're LOTs of these entries in all logs thats why I'm worried.

    – Nimbuz
    Sep 22 '16 at 13:10



















  • Any particular reason you don't want it notifying about traffic being blocked?

    – Thomas Ward
    Sep 22 '16 at 12:32











  • @ThomasWard I'm just not sure what its about and should I be concerned cause they appear a few times in the log.

    – Nimbuz
    Sep 22 '16 at 12:33













  • @ThomasWard There're LOTs of these entries in all logs thats why I'm worried.

    – Nimbuz
    Sep 22 '16 at 13:10

















Any particular reason you don't want it notifying about traffic being blocked?

– Thomas Ward
Sep 22 '16 at 12:32





Any particular reason you don't want it notifying about traffic being blocked?

– Thomas Ward
Sep 22 '16 at 12:32













@ThomasWard I'm just not sure what its about and should I be concerned cause they appear a few times in the log.

– Nimbuz
Sep 22 '16 at 12:33







@ThomasWard I'm just not sure what its about and should I be concerned cause they appear a few times in the log.

– Nimbuz
Sep 22 '16 at 12:33















@ThomasWard There're LOTs of these entries in all logs thats why I'm worried.

– Nimbuz
Sep 22 '16 at 13:10





@ThomasWard There're LOTs of these entries in all logs thats why I'm worried.

– Nimbuz
Sep 22 '16 at 13:10










3 Answers
3






active

oldest

votes


















4















Before you read this answer, consider the following:




  1. There are 65,534 usable ports (1 - 65534) when connecting to a system, and a bunch of different protocols; this means there is a HUGE number of potential "blocked" connections based on whatever criterion is set up in your firewall rules for 'permitted traffic'.



  2. Anything Internet-facing will be getting connection attempts from various things to the box, such as:




    • Legitimate Permitted Traffic

    • Service scanners

    • Brute forcers

    • Malware / Hackers

    • etc. (pretty much anything that wants to try and connect, whether allowed or not).



  3. Anything publicly facing the Internet will get things trying to find services running on the system, or try and scan the box for
    potential breach points. Hence the BLOCK alerts in the syslog.


  4. Firewall "BLOCK" alerts mean your firewall is working as intended, and you shouldn't really be super concerned about seeing a lot of
    these alerts, especially if your system is directly facing the Internet
    (and not behind a router, etc.).







Now to address your concern in your comments about "There's a lot of these entries" and "that's why I'm worried".



When you run a whitelisting firewall with UFW, there is a default rule added as a result of the default UFW configurations which will automatically add a LOG rule for any traffic not accepted or otherwise handled by the firewall rules. For example, let's say that I have a server, and I set it to permit only SSH from the IP address 1.2.3.4. Any other traffic to my server not related to traffic from the server going outbound or SSH traffic from 1.2.3.4 to my server (and vice versa in the opposite direction) will be blocked, and a UFW BLOCK alert will go out to the system logs to indicate that the traffic that doesn't match one of my permitted rules was blocked. (That is, only traffic from 1.2.3.4 to port 22 (SSH), or related bidirectional traffic to that connection, will trigger a BLOCK alert)



Should you be concerned about this? Absolutely not. Web facing services, servers, networks, etc. get a ton of traffic to them, from service scanners, legitimate connections, malicious threat actors, etc. It is not unusual to see a lot of attempts to connect to a network from the outside from large ranges of IP addresses, if your system/server is Internet facing, because that type of traffic is usually blocked.





Now to address your original question of how to disable the UFW BLOCK alerts. While I do not recommend disabling the alerts (because this indicates your firewall is working as intended), you can disable the UFW alert log items by doing the following:



sudo ufw logging off


Note that I really don't recommend you disable your logging of blocked traffic unless you really need to (such as syslog taking up too much disk space, which is not really that common even in these cases), but it's up to you whether you do or not.






share|improve this answer

































    1














    There is no explicit rule to deny tcp/23(telnet) in existing rules in this post, the implicit rule is denying/logging (default). To halt the logging and still deny - create an explicit deny rule in on ens3.



    ufw deny in on ens3 to any port 23



    or simply firewall telnet to deny telnet in on all interfaces in host:



    ufw deny in 23






    share|improve this answer































      1














      If the logs are annoying you because they polute your syslog, please edit /etc/rsyslog.d/20-ufw.conf, the last line (in 18.04) reads



      # & stop


      remove the # and then restart logging:



      sudo service rsyslog restart


      Now you should be able to find your ufw logs only in /var/log/ufw.log






      share|improve this answer
























        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "89"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: true,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: 10,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














        draft saved

        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f828223%2fufw-block-entries-in-the-log%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        4















        Before you read this answer, consider the following:




        1. There are 65,534 usable ports (1 - 65534) when connecting to a system, and a bunch of different protocols; this means there is a HUGE number of potential "blocked" connections based on whatever criterion is set up in your firewall rules for 'permitted traffic'.



        2. Anything Internet-facing will be getting connection attempts from various things to the box, such as:




          • Legitimate Permitted Traffic

          • Service scanners

          • Brute forcers

          • Malware / Hackers

          • etc. (pretty much anything that wants to try and connect, whether allowed or not).



        3. Anything publicly facing the Internet will get things trying to find services running on the system, or try and scan the box for
          potential breach points. Hence the BLOCK alerts in the syslog.


        4. Firewall "BLOCK" alerts mean your firewall is working as intended, and you shouldn't really be super concerned about seeing a lot of
          these alerts, especially if your system is directly facing the Internet
          (and not behind a router, etc.).







        Now to address your concern in your comments about "There's a lot of these entries" and "that's why I'm worried".



        When you run a whitelisting firewall with UFW, there is a default rule added as a result of the default UFW configurations which will automatically add a LOG rule for any traffic not accepted or otherwise handled by the firewall rules. For example, let's say that I have a server, and I set it to permit only SSH from the IP address 1.2.3.4. Any other traffic to my server not related to traffic from the server going outbound or SSH traffic from 1.2.3.4 to my server (and vice versa in the opposite direction) will be blocked, and a UFW BLOCK alert will go out to the system logs to indicate that the traffic that doesn't match one of my permitted rules was blocked. (That is, only traffic from 1.2.3.4 to port 22 (SSH), or related bidirectional traffic to that connection, will trigger a BLOCK alert)



        Should you be concerned about this? Absolutely not. Web facing services, servers, networks, etc. get a ton of traffic to them, from service scanners, legitimate connections, malicious threat actors, etc. It is not unusual to see a lot of attempts to connect to a network from the outside from large ranges of IP addresses, if your system/server is Internet facing, because that type of traffic is usually blocked.





        Now to address your original question of how to disable the UFW BLOCK alerts. While I do not recommend disabling the alerts (because this indicates your firewall is working as intended), you can disable the UFW alert log items by doing the following:



        sudo ufw logging off


        Note that I really don't recommend you disable your logging of blocked traffic unless you really need to (such as syslog taking up too much disk space, which is not really that common even in these cases), but it's up to you whether you do or not.






        share|improve this answer






























          4















          Before you read this answer, consider the following:




          1. There are 65,534 usable ports (1 - 65534) when connecting to a system, and a bunch of different protocols; this means there is a HUGE number of potential "blocked" connections based on whatever criterion is set up in your firewall rules for 'permitted traffic'.



          2. Anything Internet-facing will be getting connection attempts from various things to the box, such as:




            • Legitimate Permitted Traffic

            • Service scanners

            • Brute forcers

            • Malware / Hackers

            • etc. (pretty much anything that wants to try and connect, whether allowed or not).



          3. Anything publicly facing the Internet will get things trying to find services running on the system, or try and scan the box for
            potential breach points. Hence the BLOCK alerts in the syslog.


          4. Firewall "BLOCK" alerts mean your firewall is working as intended, and you shouldn't really be super concerned about seeing a lot of
            these alerts, especially if your system is directly facing the Internet
            (and not behind a router, etc.).







          Now to address your concern in your comments about "There's a lot of these entries" and "that's why I'm worried".



          When you run a whitelisting firewall with UFW, there is a default rule added as a result of the default UFW configurations which will automatically add a LOG rule for any traffic not accepted or otherwise handled by the firewall rules. For example, let's say that I have a server, and I set it to permit only SSH from the IP address 1.2.3.4. Any other traffic to my server not related to traffic from the server going outbound or SSH traffic from 1.2.3.4 to my server (and vice versa in the opposite direction) will be blocked, and a UFW BLOCK alert will go out to the system logs to indicate that the traffic that doesn't match one of my permitted rules was blocked. (That is, only traffic from 1.2.3.4 to port 22 (SSH), or related bidirectional traffic to that connection, will trigger a BLOCK alert)



          Should you be concerned about this? Absolutely not. Web facing services, servers, networks, etc. get a ton of traffic to them, from service scanners, legitimate connections, malicious threat actors, etc. It is not unusual to see a lot of attempts to connect to a network from the outside from large ranges of IP addresses, if your system/server is Internet facing, because that type of traffic is usually blocked.





          Now to address your original question of how to disable the UFW BLOCK alerts. While I do not recommend disabling the alerts (because this indicates your firewall is working as intended), you can disable the UFW alert log items by doing the following:



          sudo ufw logging off


          Note that I really don't recommend you disable your logging of blocked traffic unless you really need to (such as syslog taking up too much disk space, which is not really that common even in these cases), but it's up to you whether you do or not.






          share|improve this answer




























            4












            4








            4








            Before you read this answer, consider the following:




            1. There are 65,534 usable ports (1 - 65534) when connecting to a system, and a bunch of different protocols; this means there is a HUGE number of potential "blocked" connections based on whatever criterion is set up in your firewall rules for 'permitted traffic'.



            2. Anything Internet-facing will be getting connection attempts from various things to the box, such as:




              • Legitimate Permitted Traffic

              • Service scanners

              • Brute forcers

              • Malware / Hackers

              • etc. (pretty much anything that wants to try and connect, whether allowed or not).



            3. Anything publicly facing the Internet will get things trying to find services running on the system, or try and scan the box for
              potential breach points. Hence the BLOCK alerts in the syslog.


            4. Firewall "BLOCK" alerts mean your firewall is working as intended, and you shouldn't really be super concerned about seeing a lot of
              these alerts, especially if your system is directly facing the Internet
              (and not behind a router, etc.).







            Now to address your concern in your comments about "There's a lot of these entries" and "that's why I'm worried".



            When you run a whitelisting firewall with UFW, there is a default rule added as a result of the default UFW configurations which will automatically add a LOG rule for any traffic not accepted or otherwise handled by the firewall rules. For example, let's say that I have a server, and I set it to permit only SSH from the IP address 1.2.3.4. Any other traffic to my server not related to traffic from the server going outbound or SSH traffic from 1.2.3.4 to my server (and vice versa in the opposite direction) will be blocked, and a UFW BLOCK alert will go out to the system logs to indicate that the traffic that doesn't match one of my permitted rules was blocked. (That is, only traffic from 1.2.3.4 to port 22 (SSH), or related bidirectional traffic to that connection, will trigger a BLOCK alert)



            Should you be concerned about this? Absolutely not. Web facing services, servers, networks, etc. get a ton of traffic to them, from service scanners, legitimate connections, malicious threat actors, etc. It is not unusual to see a lot of attempts to connect to a network from the outside from large ranges of IP addresses, if your system/server is Internet facing, because that type of traffic is usually blocked.





            Now to address your original question of how to disable the UFW BLOCK alerts. While I do not recommend disabling the alerts (because this indicates your firewall is working as intended), you can disable the UFW alert log items by doing the following:



            sudo ufw logging off


            Note that I really don't recommend you disable your logging of blocked traffic unless you really need to (such as syslog taking up too much disk space, which is not really that common even in these cases), but it's up to you whether you do or not.






            share|improve this answer
















            Before you read this answer, consider the following:




            1. There are 65,534 usable ports (1 - 65534) when connecting to a system, and a bunch of different protocols; this means there is a HUGE number of potential "blocked" connections based on whatever criterion is set up in your firewall rules for 'permitted traffic'.



            2. Anything Internet-facing will be getting connection attempts from various things to the box, such as:




              • Legitimate Permitted Traffic

              • Service scanners

              • Brute forcers

              • Malware / Hackers

              • etc. (pretty much anything that wants to try and connect, whether allowed or not).



            3. Anything publicly facing the Internet will get things trying to find services running on the system, or try and scan the box for
              potential breach points. Hence the BLOCK alerts in the syslog.


            4. Firewall "BLOCK" alerts mean your firewall is working as intended, and you shouldn't really be super concerned about seeing a lot of
              these alerts, especially if your system is directly facing the Internet
              (and not behind a router, etc.).







            Now to address your concern in your comments about "There's a lot of these entries" and "that's why I'm worried".



            When you run a whitelisting firewall with UFW, there is a default rule added as a result of the default UFW configurations which will automatically add a LOG rule for any traffic not accepted or otherwise handled by the firewall rules. For example, let's say that I have a server, and I set it to permit only SSH from the IP address 1.2.3.4. Any other traffic to my server not related to traffic from the server going outbound or SSH traffic from 1.2.3.4 to my server (and vice versa in the opposite direction) will be blocked, and a UFW BLOCK alert will go out to the system logs to indicate that the traffic that doesn't match one of my permitted rules was blocked. (That is, only traffic from 1.2.3.4 to port 22 (SSH), or related bidirectional traffic to that connection, will trigger a BLOCK alert)



            Should you be concerned about this? Absolutely not. Web facing services, servers, networks, etc. get a ton of traffic to them, from service scanners, legitimate connections, malicious threat actors, etc. It is not unusual to see a lot of attempts to connect to a network from the outside from large ranges of IP addresses, if your system/server is Internet facing, because that type of traffic is usually blocked.





            Now to address your original question of how to disable the UFW BLOCK alerts. While I do not recommend disabling the alerts (because this indicates your firewall is working as intended), you can disable the UFW alert log items by doing the following:



            sudo ufw logging off


            Note that I really don't recommend you disable your logging of blocked traffic unless you really need to (such as syslog taking up too much disk space, which is not really that common even in these cases), but it's up to you whether you do or not.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Sep 22 '16 at 16:55

























            answered Sep 22 '16 at 16:23









            Thomas WardThomas Ward

            45k23125178




            45k23125178

























                1














                There is no explicit rule to deny tcp/23(telnet) in existing rules in this post, the implicit rule is denying/logging (default). To halt the logging and still deny - create an explicit deny rule in on ens3.



                ufw deny in on ens3 to any port 23



                or simply firewall telnet to deny telnet in on all interfaces in host:



                ufw deny in 23






                share|improve this answer




























                  1














                  There is no explicit rule to deny tcp/23(telnet) in existing rules in this post, the implicit rule is denying/logging (default). To halt the logging and still deny - create an explicit deny rule in on ens3.



                  ufw deny in on ens3 to any port 23



                  or simply firewall telnet to deny telnet in on all interfaces in host:



                  ufw deny in 23






                  share|improve this answer


























                    1












                    1








                    1







                    There is no explicit rule to deny tcp/23(telnet) in existing rules in this post, the implicit rule is denying/logging (default). To halt the logging and still deny - create an explicit deny rule in on ens3.



                    ufw deny in on ens3 to any port 23



                    or simply firewall telnet to deny telnet in on all interfaces in host:



                    ufw deny in 23






                    share|improve this answer













                    There is no explicit rule to deny tcp/23(telnet) in existing rules in this post, the implicit rule is denying/logging (default). To halt the logging and still deny - create an explicit deny rule in on ens3.



                    ufw deny in on ens3 to any port 23



                    or simply firewall telnet to deny telnet in on all interfaces in host:



                    ufw deny in 23







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Dec 6 '17 at 16:16









                    ccie6747ccie6747

                    111




                    111























                        1














                        If the logs are annoying you because they polute your syslog, please edit /etc/rsyslog.d/20-ufw.conf, the last line (in 18.04) reads



                        # & stop


                        remove the # and then restart logging:



                        sudo service rsyslog restart


                        Now you should be able to find your ufw logs only in /var/log/ufw.log






                        share|improve this answer




























                          1














                          If the logs are annoying you because they polute your syslog, please edit /etc/rsyslog.d/20-ufw.conf, the last line (in 18.04) reads



                          # & stop


                          remove the # and then restart logging:



                          sudo service rsyslog restart


                          Now you should be able to find your ufw logs only in /var/log/ufw.log






                          share|improve this answer


























                            1












                            1








                            1







                            If the logs are annoying you because they polute your syslog, please edit /etc/rsyslog.d/20-ufw.conf, the last line (in 18.04) reads



                            # & stop


                            remove the # and then restart logging:



                            sudo service rsyslog restart


                            Now you should be able to find your ufw logs only in /var/log/ufw.log






                            share|improve this answer













                            If the logs are annoying you because they polute your syslog, please edit /etc/rsyslog.d/20-ufw.conf, the last line (in 18.04) reads



                            # & stop


                            remove the # and then restart logging:



                            sudo service rsyslog restart


                            Now you should be able to find your ufw logs only in /var/log/ufw.log







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Mar 2 at 10:40









                            SebastianSebastian

                            1736




                            1736






























                                draft saved

                                draft discarded




















































                                Thanks for contributing an answer to Ask Ubuntu!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f828223%2fufw-block-entries-in-the-log%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

                                Mangá

                                Eduardo VII do Reino Unido