I have a lot of these entries in my log:
Sep 22 12:20:23 server0187 kernel: [ 7.267934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:23 server0187 kernel: [ 7.688848] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:24 server0187 kernel: [ 7.992988] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=27738 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:32 server0187 kernel: [ 16.219594] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=52457 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:39 server0187 kernel: [ 23.217712] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:40 server0187 kernel: [ 24.130220] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=7040 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:44 server0187 kernel: [ 28.063447] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33267 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:45 server0187 kernel: [ 29.063934] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33268 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:47 server0187 kernel: [ 31.063621] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=61.62.8.132 DST=se.rv.er.ip LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=33269 DF PROTO=TCP SPT=33345 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.272558] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:20:50 server0187 kernel: [ 34.667044] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=37595 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:08 server0187 kernel: [ 52.296316] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=113.69.80.129 DST=se.rv.er.ip LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=63510 PROTO=TCP SPT=22917 DPT=23 WINDOW=31379 RES=0x00 SYN URGP=0
Sep 22 12:21:39 server0187 kernel: [ 83.646607] [UFW BLOCK] IN=ens3 OUT= MAC=56:00:21:32:65:eb:fe:00:00:32:65:eb:08:99 SRC=151.233.57.112 DST=se.rv.er.ip LEN=44 TOS=0x00 PREC=0x00 TTL=37 ID=56703 PROTO=TCP SPT=25625 DPT=23 WINDOW=30217 RES=0x00 SYN URGP=0
my ufw
rules is pretty standard:
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
80,443/tcp ALLOW IN Anywhere
25 ALLOW IN Anywhere
143 ALLOW IN Anywhere
993 ALLOW IN Anywhere
22 ALLOW IN Anywhere
21 ALLOW IN Anywhere
21/tcp ALLOW IN Anywhere
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (v6) ALLOW IN Anywhere (v6)
25 (v6) ALLOW IN Anywhere (v6)
143 (v6) ALLOW IN Anywhere (v6)
993 (v6) ALLOW IN Anywhere (v6)
22 (v6) ALLOW IN Anywhere (v6)
21 (v6) ALLOW IN Anywhere (v6)
21/tcp (v6) ALLOW IN Anywhere (v6)
How do I get rid of these?
Best Answer
Now to address your concern in your comments about "There's a lot of these entries" and "that's why I'm worried".
When you run a whitelisting firewall with UFW, there is a default rule added as a result of the default UFW configurations which will automatically add a
LOG
rule for any traffic not accepted or otherwise handled by the firewall rules. For example, let's say that I have a server, and I set it to permit only SSH from the IP address 1.2.3.4. Any other traffic to my server not related to traffic from the server going outbound or SSH traffic from 1.2.3.4 to my server (and vice versa in the opposite direction) will be blocked, and aUFW BLOCK
alert will go out to the system logs to indicate that the traffic that doesn't match one of my permitted rules was blocked. (That is, only traffic from 1.2.3.4 to port 22 (SSH), or related bidirectional traffic to that connection, will trigger aBLOCK
alert)Should you be concerned about this? Absolutely not. Web facing services, servers, networks, etc. get a ton of traffic to them, from service scanners, legitimate connections, malicious threat actors, etc. It is not unusual to see a lot of attempts to connect to a network from the outside from large ranges of IP addresses, if your system/server is Internet facing, because that type of traffic is usually blocked.
Now to address your original question of how to disable the
UFW BLOCK
alerts. While I do not recommend disabling the alerts (because this indicates your firewall is working as intended), you can disable the UFW alert log items by doing the following:Note that I really don't recommend you disable your logging of blocked traffic unless you really need to (such as syslog taking up too much disk space, which is not really that common even in these cases), but it's up to you whether you do or not.