What do UFW's audit log entries mean?
I'm sometimes getting a lot of these AUDIT log entries in
...
[UFW AUDIT] IN= OUT=eth0 SRC=176.58.105.134 DST=194.238.48.2 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=32137 DF PROTO=UDP SPT=36231 DPT=123 LEN=56
[UFW ALLOW] IN= OUT=eth0 SRC=176.58.105.134 DST=194.238.48.2 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=32137 DF PROTO=UDP SPT=36231 DPT=123 LEN=56
[UFW AUDIT] IN= OUT=lo SRC=192.168.192.254 DST=192.168.192.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54579 DF PROTO=TCP SPT=59488 DPT=30002 WINDOW=32792 RES=0x00 SYN URGP=0
[UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.192.254 DST=192.168.192.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54579 DF PROTO=TCP SPT=59488 DPT=30002 WINDOW=32792 RES=0x00 SYN URGP=0
[UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.192.254 DST=192.168.192.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4319 DF PROTO=TCP SPT=59489 DPT=30002 WINDOW=32792 RES=0x00 SYN URGP=0
...
What is the meaning of this? When do they occur and why? Should and can I disable these specific entries? I do not wish to disable UFW logging, but I'm not sure whether these lines are useful at all.
Note that this does not actually occur in /var/log/ufw.log
. It only occurs in /var/log/syslog
. Why is this the case?
More info
- my logging is set to medium:
Logging: on (medium)
Solution 1:
That depend on the line. Usually, it is Field=value.
There is IN, OUT, the ingoing interface, or outgoing ( or both, for packet that are just relayed.
A few of them are:
- TOS, for Type of service,
- DST is destination ip,
- SRC is source ip
- TTL is time to live, a small counter decremented each time a packet is passed through another router (so if there is a loop, the package destroy itself once to 0)
- DF is "don't fragment" bit, asking to packet to not be fragmented when sent
- PROTO is the protocol (mostly TCP and UDP)
- SPT is the source port
- DPT is the destination port
etc.
You should take a look at TCP/UDP/IP documentation, where everything is explained in more detailed way that i could ever do.
Let's take the first one, that mean that 176.58.105.134 sent a UDP packet on port 123 for 194.238.48.2. That's for ntp
. So i guess someone try to use your computer as a ntp server, likely by error.
For the other line, that's curious, that's traffic on loopback interface ( lo ), ie that's not going anywhere, it goes and comes from your computer.
I would check if something is listening on tcp port 30002 with lsof
or netstat
.
Solution 2:
Set your logging to low
to remove the AUDIT
messages.
The purpose of AUDIT (from what I'm seeing) is related to the non-default/recommended logging - however, that's a guess, and I can't seem to find anything concrete with that.
Solution 3:
On top of what has been said, it is also possible to infer what is going to be logged by inspecting iptables rules.
Specifically the matching rules that are being logged can be filtered like this sudo iptables -L | grep -i "log"
:
ufw-before-logging-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-before-logging-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
Chain ufw-after-logging-forward (1 references)
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-after-logging-output (1 references)
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
Chain ufw-before-logging-forward (1 references)
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-logging-allow (0 references)
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
LOG all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
Chain ufw-user-logging-forward (0 references)
Chain ufw-user-logging-input (0 references)
Chain ufw-user-logging-output (1 references)
Those are for the most part default rules. Inspecting the output above reveals the ufw-before-*
chains to generate [UFW AUDIT ..] logs.
I'm not a big expert on iptables and the UFW manual is not very helpful on this but as far as I can tell rules matching this chain sit in /etc/ufw/before.rules.
For example the lines below are allowing loopback connections which might have triggered the last two example lines in your log (the ones starting with [UFW AUDIT] IN=lo)
# rules.before
# ....
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# ....
As for my part, I get a lot of logged LLMNR packets on port 5353:
Mar 17 21:02:21 pc kernel: [133419.183616] [UFW AUDIT] IN=wlp2s0 OUT= MAC= SRC=192.168.1.2 DST=224.0.0.251 LEN=146 TOS=0x00 PREC=0x00 TTL=255 ID=22456 DF PROTO=UDP SPT=5353 DPT=5353 LEN=126
Which I think are caused by the following in rules.before
:
# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
One way to deactivate those are to do fire up the following:
sudo ufw deny 5353