0

I run a blog self-hosted with Wordpress. I'm getting frequent email notifications from LFD regarding UDP_IN blocks. I usually get 10+ emails daily about it.

The email looks like following:

Time:
IP:
Hits: 11 Blocked: Temporary Block

Sample of block hits: host kernel: Firewall: UDP_IN Blocked IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=xxx TOS=0x00 PREC=0x00 TTL=xxx ID=xxxxx PROTO=UDP SPT=xxx DPT=xxx LEN=xxx

Almost everytime the blocked IP address is different. I want to know is it some kind of attack or is it a false positive?

Thanks in advance.

Community
  • 1
Another Blogger
  • 15
  • 5

1 Answers1

0

That's the port typically used to negotiate an IPSec VPN, so this is probably a result of bots searching the internet for a misconfigured VPN they can exploit, and/or one with weak security they can hack into.

Specifically:

Port Number: 500
TCP / UDP: UDP
Delivery: No
Protocol / Name: isakmp
Port Description: isakmp. Used in FW-1 VPN for key exchange & synch when using ISAKMP or IPSEC crypto between FW-1′s. FW-1 Ports: tcp 256, tcp/udp 259, udp 500, tcp 900.

So, yes, it's an attack, but no, it's nothing you need to worry about (unless you're running a VPN server from your webserver for some reason).

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • ^^ Thanks a lot for your reply. Is there anything which I can do to stop these kind of attacks or should I simply ignore these emails? – Another Blogger Jan 04 '13 at 13:54
  • @AnotherBlogger You should get a better system, that only emails you things that are important. – Michael Hampton Jan 04 '13 at 14:19
  • @AnotherBlogger Looks like a probably port scan to me. Like Michael Hampton said, you should get a better system in place to only send you alerts about things that matter. – HopelessN00b Jan 04 '13 at 19:35
  • ^^ Thanks. Those email alerts were sent by the CSF firewall itself. Is there any recommendation to set it to only send alerts that actually matter? – Another Blogger Jan 04 '13 at 19:54
  • @AnotherBlogger I have no idea how to configure the setting on that product (though I suppose you could ask another question about it here if the documentation' of no help), but you really should strive to eliminate false positives - they have a way of desensitizing the people getting the alerts, and creating false negatives (missed events). – HopelessN00b Jan 05 '13 at 00:00