37

I wonder why I get this error on my syslogs:

[7732763.396193] [UFW BLOCK] IN=eth0 OUT= MAC=02:8b:1a:75:d5:7b:02:8b:1a:40:00:03:08:00 SRC=x.x.x.x DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=53703 DF PROTO=TCP SPT=35651 DPT=8443 WINDOW=457 RES=0x00 ACK RST URGP=0

I have just enabled the ufw. This error means that something going wrong?

batman
  • 7,851
  • 18
  • 39
  • 38

2 Answers2

34

Well, it means that ufw blocked a connection from SRC to DST on TCP Port 8443. Unless you wanted this connection to be successful it is not a bad thing.

Port 8443 is mainly used by webservices, for example it is used by VMware ESXi, or some (HTTPS) Application Servers.

You can check if your box is running anything on that port by issueing sudo netstat -tulpen | grep 8443

pgschk
  • 874
  • 7
  • 7
  • 3
    How can I stop this being put into `syslog` files? – batman Sep 05 '12 at 11:02
  • @batman type `man ufw` into a terminal. Scroll down to `LOGGING` – NRoach44 Sep 05 '12 at 11:45
  • 7
    You should be able to disable logging via `sudo ufw logging off` – pgschk Sep 05 '12 at 11:45
  • 17
    Instead of disabling ufw logging completely, it is better to just [stop logging into syslog](http://askubuntu.com/questions/452125/redirect-ufw-logs-to-own-file) – HRJ Dec 04 '14 at 13:38
  • I just noticed the same thing. Lots of different IP address trying what seem to be random ports. Their frequency is perhaps every second or so perhaps less. On another device and network I tried entering one of the `SRC` IP addresses in a browser and got `X.X.X.X refused to connect`. So I came to the conclusion these servers are reaching out but have blocked all incoming. Are these servers trying their luck randomly to gain access or collect information? ...my first experience of security concerns when managing a server. Glad I'd enabled `ufw`. –  Feb 18 '21 at 07:38
  • You can also stop logging it by whitelisting which IPs you want to allow connections, and then deny everything else as last rule, see https://askubuntu.com/a/1383632/1179344 – ferdymercury Feb 02 '22 at 00:47
1

If you run:

$ tail -1 /etc/rsyslog.d/20-ufw.conf
#& stop

This #& stop means that you are logging into syslog.

Teo, how can I stop it?

Well, you just need to run this command to stop logging into to the syslog:

sudo sed '/#& stop/s/^#//' -i /etc/rsyslog.d/20-ufw.conf
sudo service rsyslog restart

This command just uncomments the first match of the pattern #& stop in the file /etc/rsyslog.d/20-ufw.conf. In this case the last line, that is why we use tail -1 to print the last line of the file.

Now verify it:

$ tail -1 /etc/rsyslog.d/20-ufw.conf
& stop

or just:

tail -f /var/log/syslog
Teocci
  • 4,465
  • 2
  • 11
  • 12