Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

ufw

Install

sudo apt-get install ufw

Default Deny Rule

ufw default deny

Allow Services

ufw allow proto tcp from 10.123.0.0/16 to any port 22
ufw allow proto tcp from 198.101.145.125 to any port 22
ufw allow proto tcp from any to any port 80
ufw allow proto tcp from any to any port 443
ufw allow from 198.101.145.125
ufw allow ssh
ufw allow http
ufw allow https
ufw logging on
ufw enable

Status

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   DENY IN     195.209.0.0/16
Anywhere                   DENY IN     185.244.0.0/16
22/tcp                     ALLOW IN    95.85.1.93

Delete

ufw status numbered
ufw delete X

check logs

(1:1434)# grep "BLOCK" /var/log/ufw.log | cut -d ' ' -f 12 | sort | uniq -c | sort -nr
     21 SRC=125.64.94.134
     13 SRC=92.63.197.61
     13 SRC=92.63.196.13
     13 SRC=5.188.206.18
     13 SRC=45.146.164.51
     12 SRC=92.63.197.55
     12 SRC=80.94.93.215
     12 SRC=45.146.164.58
     11 SRC=92.63.197.53

Search through logs

grep "1.2.3.4" /var/log/ufw.log
grep "invalid user" /var/log/auth.log | cut -d ' ' -f 10 | sort | uniq -c | sort -nr
sudo cat /var/log/syslog | grep "x.x.x.x"
cat access.log |awk '{print $1}' | sort | uniq -c |sort -n
tail -100 access.log |awk '{print $1}' | sort | uniq -c |sort -n

Modify Allow Rules

sudo ufw allow proto tcp from 192.241.243.159 to any port 44443
sudo ufw allow proto tcp from 192.241.243.159 to any port 22
sudo ufw allow proto tcp from any to any port 80,443,22 comment 'normal rule block'

Modify Deny Rules

There was ton of traffic from these sources in my logs, so I just blocked the entire /16 to reduce log noise. You will not need to do this unless you find an attacker using multiple ips from various networks.

sudo ufw deny from 185.244.0.0/16 to any
sudo ufw deny from 195.209.0.0/16 to any

Inserting Order

sudo ufw insert 1 deny from 45.134.30.0/24 to any

What to Block

UP to you and your log analyzing tools, but here are some suggestions of things to fix and/or block. The actual log location for apache is located in the /etc/apache2/sites-enabled/yoursite.conf

Causing Most Errors in Error Log:

cat /var/www/logs/followupemails.com.error.log | cut -d ' ' -f 10 | cut -d ':' -f 1| sort | uniq -c | sort -nr | head -n 20

Causing Most Process Crashes (500 Errors)

cat /var/www/logs/followupemails.com.access.log | grep " 500 " | cut -d ' ' -f 7 | sort | uniq -c | sort -nr | head -n 30

Who is fuzzing you (404 errors)

cat /var/www/logs/followupemails.com.access.log | grep " 404 " | cut -d ' ' -f 7 | sort | uniq -c | sort -nr | head -n 30

Busiest Clients (easy to see DOS here)

cat /var/www/logs/followupemails.com.access.log | cut -d ' ' -f 1 | sort | uniq -c | sort -nr | head -n 100