Can someone break this down?

Post Reply
opentoe
Junior Member
Posts: 5
Joined: 11 Feb 2013, 16:27

Can someone break this down?

Post by opentoe »

I'm new to my VPS that I've got signed up for and I'm loving it so far. I also like the firewall and how configurable it is and how easy it really is to manage via the interface. There are some small issues that is happening. Some IP addresses are getting temporarily blocked and I'll receive an email letting me know this. I will eventually get around to checking the settings and/or inputting a whitelist when I get the time. The emails I get looks like a foreign language to me. Can someone break this email down and explain what each part is? For example, what is the port(s) that were scanned that caused the temporary block? Here is one of the emails right from my inbox. Thank you!

Time: Mon Feb 11 08:45:15 2013 -0500
IP: 175.180.104.218 (TW/Taiwan/175-180-104-21
Hits: 11
Blocked: Temporary Block

Sample of block hits:
Feb 11 08:44:23 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=58 TOS=0x00 PREC=0x00 TTL=111 ID=5076 PROTO=UDP SPT=39329 DPT=5446 LEN=38 Feb 11 08:44:23 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=58 TOS=0x00 PREC=0x00 TTL=111 ID=5079 PROTO=UDP SPT=39329 DPT=5446 LEN=38 Feb 11 08:44:23 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=5080 PROTO=UDP SPT=39329 DPT=5446 LEN=28 Feb 11 08:44:26 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=5196 PROTO=UDP SPT=39329 DPT=5446 LEN=28 Feb 11 08:44:32 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=5529 PROTO=UDP SPT=39329 DPT=5446 LEN=28 Feb 11 08:44:44 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=6231 PROTO=UDP SPT=39329 DPT=5446 LEN=28 Feb 11 08:44:52 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=6609 PROTO=UDP SPT=39329 DPT=5446 LEN=28 Feb 11 08:44:52 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=6648 PROTO=UDP SPT=39329 DPT=5446 LEN=28 Feb 11 08:44:55 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=6832 PROTO=UDP SPT=39329 DPT=5446 LEN=28 Feb 11 08:45:01 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=7133 PROTO=UDP SPT=39329 DPT=5446 LEN=28 Feb 11 08:45:13 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=7639 PROTO=UDP SPT=39329 DPT=5446 LEN=28
Nerigal
Junior Member
Posts: 33
Joined: 17 Jun 2009, 16:15

Re: Can someone break this down?

Post by Nerigal »

for me look like port scan on you server DPT means destination port 5446

temp ban is expected for this.

Feb 11 08:44:23 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=58 TOS=0x00 PREC=0x00 TTL=111 ID=5076 PROTO=UDP SPT=39329 DPT=5446 LEN=38
opentoe
Junior Member
Posts: 5
Joined: 11 Feb 2013, 16:27

Re: Can someone break this down?

Post by opentoe »

Nerigal wrote:for me look like port scan on you server DPT means destination port 5446

temp ban is expected for this.

Feb 11 08:44:23 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=175.180.104.218 DST=207.7.86.103 LEN=58 TOS=0x00 PREC=0x00 TTL=111 ID=5076 PROTO=UDP SPT=39329 DPT=5446 LEN=38
What is odd, I see the email templates in a folder that are supposed to be easier to read, but when I get them, they certainly don't look like the templates. They look like what I posted in the OP. I'm just trying to first figure out what all the information means and since I don't have a list of what all those acronyms means it is quite difficult. I'm really liking the firewall, and how tightly I can configure it. I wasn't able to do any of that when using my old shared hosting plan.

If you see the attached screen shot, that is what the email is "supposed" to look like, but it doesn't look anything like that. I think I'll just get use to more things and keep on learning. Actually, I'm unable to attach anything so I can't show you. I'll try to post a URL screen capture of it, but don't know if that will work either. No, sorry, I'm unable to show you any kind of URL or anything. Sorry. I guess it is very tight security here just on the forums.


Thanks
leslie
Junior Member
Posts: 1
Joined: 16 Feb 2013, 17:07

Re: Can someone break this down?

Post by leslie »

I've got the same questions - I don't know what the acronyms mean or their significance.
I do like that the interface is easy to use.
And where can one learn more about Excessive Resource Usage?
Thanks so much.
Post Reply