Ubuntu – Disable logging of UFW BLOCKs in the kernel logs

firewallufw

I have a lot of these entries in my log:

Sep 22 12:20:23 server0187 kernel: [    7.267934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:23 server0187 kernel: [    7.688848] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:24 server0187 kernel: [    7.992988] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:32 server0187 kernel: [   16.219594] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=52457 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:39 server0187 kernel: [   23.217712] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:40 server0187 kernel: [   24.130220] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:44 server0187 kernel: [   28.063447] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33267 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0 
Sep 22 12:20:45 server0187 kernel: [   29.063934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33268 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0 
Sep 22 12:20:47 server0187 kernel: [   31.063621] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33269 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0 
Sep 22 12:20:50 server0187 kernel: [   34.272558] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:20:50 server0187 kernel: [   34.667044] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:21:08 server0187 kernel: [   52.296316] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=22917 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0 
Sep 22 12:21:39 server0187 kernel: [   83.646607] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=151.233.57.112 DST=se.rv.er.ip LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=56703 PROTO=TCP SPT=25625 DPT=23 WINDOW=30217 RES=0x00 SYN URGP=0

my ufw rules is pretty standard:

22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere                  
80,443/tcp                 ALLOW IN    Anywhere                  
25                         ALLOW IN    Anywhere                  
143                        ALLOW IN    Anywhere                  
993                        ALLOW IN    Anywhere                  
22                       ALLOW IN    Anywhere                  
21                       ALLOW IN    Anywhere                  
21/tcp                   ALLOW IN    Anywhere                  
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)             
80,443/tcp (Nginx Full (v6)) ALLOW IN    Anywhere (v6)             
80,443/tcp (v6)            ALLOW IN    Anywhere (v6)             
25 (v6)                    ALLOW IN    Anywhere (v6)             
143 (v6)                   ALLOW IN    Anywhere (v6)             
993 (v6)                   ALLOW IN    Anywhere (v6)             
22 (v6)                  ALLOW IN    Anywhere (v6)             
21 (v6)                  ALLOW IN    Anywhere (v6)             
21/tcp (v6)              ALLOW IN    Anywhere (v6)

How do I get rid of these?

Best Answer

Before you read this answer, consider the following:

  1. There are 65,534 usable ports (1 - 65534) when connecting to a system, and a bunch of different protocols; this means there is a HUGE number of potential "blocked" connections based on whatever criterion is set up in your firewall rules for 'permitted traffic'.

  2. Anything Internet-facing will be getting connection attempts from various things to the box, such as:

    • Legitimate Permitted Traffic
    • Service scanners
    • Brute forcers
    • Malware / Hackers
    • etc. (pretty much anything that wants to try and connect, whether allowed or not).

  3. Anything publicly facing the Internet will get things trying to find services running on the system, or try and scan the box for potential breach points. Hence the BLOCK alerts in the syslog.

  4. Firewall "BLOCK" alerts mean your firewall is working as intended, and you shouldn't really be super concerned about seeing a lot of these alerts, especially if your system is directly facing the Internet (and not behind a router, etc.).

Now to address your concern in your comments about "There's a lot of these entries" and "that's why I'm worried".

When you run a whitelisting firewall with UFW, there is a default rule added as a result of the default UFW configurations which will automatically add a LOG rule for any traffic not accepted or otherwise handled by the firewall rules. For example, let's say that I have a server, and I set it to permit only SSH from the IP address 1.2.3.4. Any other traffic to my server not related to traffic from the server going outbound or SSH traffic from 1.2.3.4 to my server (and vice versa in the opposite direction) will be blocked, and a UFW BLOCK alert will go out to the system logs to indicate that the traffic that doesn't match one of my permitted rules was blocked. (That is, only traffic from 1.2.3.4 to port 22 (SSH), or related bidirectional traffic to that connection, will trigger a BLOCK alert)

Should you be concerned about this? Absolutely not. Web facing services, servers, networks, etc. get a ton of traffic to them, from service scanners, legitimate connections, malicious threat actors, etc. It is not unusual to see a lot of attempts to connect to a network from the outside from large ranges of IP addresses, if your system/server is Internet facing, because that type of traffic is usually blocked.

Now to address your original question of how to disable the UFW BLOCK alerts. While I do not recommend disabling the alerts (because this indicates your firewall is working as intended), you can disable the UFW alert log items by doing the following:

sudo ufw logging off

Note that I really don't recommend you disable your logging of blocked traffic unless you really need to (such as syslog taking up too much disk space, which is not really that common even in these cases), but it's up to you whether you do or not.

Related Question