0

How do I block all IP addresses from where traffic is coming from, on my Ubuntu 18.04 (on a specified port) or just log all IP addresses connecting to this port to .txt file?

Greenonline
  • 2,030
  • 8
  • 20
  • 27
Kamil Skwirut
  • 179
  • 1
  • 5
  • See for instance https://askubuntu.com/a/638374/15811 2nd part: https://askubuntu.com/a/920201/15811 – Rinzwind Aug 02 '21 at 10:11
  • But how to log it ? can you give any examples? `i want to block all ip's connecting to port, or list them in txt file' – Kamil Skwirut Aug 02 '21 at 10:20
  • the 2nd link explains how to filter. append a ` >> {logfile}"` to it – Rinzwind Aug 02 '21 at 12:18
  • I would suggest that you enable the logging function as suggested, and then install and configure `fail2ban` and then tail the fail2ban logs because those will indicate which IPs are triggering automatic blocks on them. This also saves you from having to blacklist dozens of IPs manually - let f2b block them automatically when they fail too many times or trigger too many alerts. Keep in mind that any Internet facing machine is going to get THOUSANDS of IPs hitting it for various legitimate or illegitimate (service scanners) reasons. – Thomas Ward Aug 02 '21 at 15:00

1 Answers1

0

You can use two iptables rules: The first to log the event; And the second to drop the packet.

Method 1, per port:

sudo iptables -A INPUT -p tcp --dport 25 -j LOG --log-prefix "EMAIL:" --log-level info
sudo iptables -A INPUT -p tcp --dport 25 -j DROP
sudo iptables -A INPUT -p udp --dport 33434 -j LOG --log-prefix "PORT33434:" --log-level info
sudo iptables -A INPUT -p udp --dport 33434 -j DROP

Method 2, multiport:

sudo iptables -A INPUT -p udp -m multiport --dport 33434:33448 -j LOG --log-prefix "MULTIUDP:" --log-level info
sudo iptables -A INPUT -p udp -m multiport --dport 33434:33448 -j DROP
sudo iptables -A INPUT -p tcp -m multiport --dport 23,2323 -j LOG --log-prefix "MULTITCP:" --log-level info
sudo iptables -A INPUT -p tcp -m multiport --dport 23,2323 -j DROP

The log entries will be in /var/log/syslog. Example from my system for these rules (where I use a script, and it is a source port filter):

$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --sport 80,443 -j LOG --log-prefix "BAD80:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --sport 80,443 -j DROP


doug@s15:~$ grep BAD80 /var/log/syslog | head
Aug  1 00:02:17 s15 kernel: [456814.408209] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=23.2.106.84 DST=173.180.45.4 LEN=44 TOS=0x08 PREC=0x20 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=51602 WINDOW=64240 RES=0x00 ACK SYN URGP=0
Aug  1 00:08:37 s15 kernel: [457195.250598] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=130.211.9.161 DST=173.180.45.4 LEN=40 TOS=0x00 PREC=0x80 TTL=62 ID=0 DF PROTO=TCP SPT=443 DPT=26786 WINDOW=0 RES=0x00 RST URGP=0
Aug  1 00:08:40 s15 kernel: [457198.217675] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=130.211.9.161 DST=173.180.45.4 LEN=40 TOS=0x00 PREC=0x80 TTL=62 ID=0 DF PROTO=TCP SPT=443 DPT=18153 WINDOW=0 RES=0x00 RST URGP=0
Aug  1 00:09:02 s15 kernel: [457220.036071] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=23.2.106.84 DST=173.180.45.4 LEN=44 TOS=0x08 PREC=0x20 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=59130 WINDOW=64240 RES=0x00 ACK SYN URGP=0
Aug  1 00:09:08 s15 kernel: [457226.325411] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=130.211.9.161 DST=173.180.45.4 LEN=40 TOS=0x00 PREC=0x80 TTL=62 ID=0 DF PROTO=TCP SPT=443 DPT=24461 WINDOW=0 RES=0x00 RST URGP=0
Aug  1 00:15:34 s15 kernel: [457612.178539] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=130.211.9.161 DST=173.180.45.4 LEN=40 TOS=0x00 PREC=0x80 TTL=62 ID=0 DF PROTO=TCP SPT=443 DPT=31895 WINDOW=0 RES=0x00 RST URGP=0
Aug  1 00:16:54 s15 kernel: [457691.594480] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=23.2.106.84 DST=173.180.45.4 LEN=44 TOS=0x08 PREC=0x20 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=52192 WINDOW=64240 RES=0x00 ACK SYN URGP=0
Aug  1 00:22:29 s15 kernel: [458026.722346] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=130.211.9.161 DST=173.180.45.4 LEN=40 TOS=0x00 PREC=0x80 TTL=62 ID=0 DF PROTO=TCP SPT=443 DPT=20888 WINDOW=0 RES=0x00 RST URGP=0
Aug  1 00:23:12 s15 kernel: [458069.616810] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=23.2.106.84 DST=173.180.45.4 LEN=44 TOS=0x08 PREC=0x20 TTL=52 ID=0 DF PROTO=TCP SPT=80 DPT=52324 WINDOW=64240 RES=0x00 ACK SYN URGP=0
Aug  1 00:23:35 s15 kernel: [458093.252954] BAD80:IN=enp1s0 OUT= MAC=68:05:ca:01:c5:e6:6c:be:e9:a7:f1:07:08:00 SRC=130.211.9.161 DST=173.180.45.4 LEN=40 TOS=0x00 PREC=0x80 TTL=62 ID=0 DF PROTO=TCP SPT=443 DPT=20218 WINDOW=0 RES=0x00 RST URGP=0

See this old answer for help with understanding the log entries.

Doug Smythies
  • 14,898
  • 5
  • 40
  • 57