2

I have a fresh install of Ubuntu 16.04. I configured iptables, ufw (with gufw), and psad using instructions from https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics and https://www.thefanclub.co.za/how-to/how-install-psad-intrusion-detection-ubuntu-1204-lts-server.

Everything seems to work fine but now I'm getting a boatload of e-mails complaining of UDP scans from my machine (to itself), my router and other devices on my network.

How do I fix this? Like ignore them or something?

From the server to itself:

=-=-=-=-=-=-=-=-=-=-=-= Tue May  3 18:40:47 2016 =-=-=-=-=-=-=-=-=-=-=-=


         Danger level: [2] (out of 5)

    Scanned UDP ports: [32412-32414: 6 packets, Nmap: -sU]
       iptables chain: INPUT (prefix "[UFW AUDIT]"), 2 packets
       iptables chain: OUTPUT (prefix "[UFW ALLOW]"), 2 packets
       iptables chain: OUTPUT (prefix "[UFW AUDIT]"), 2 packets

               Source: 192.168.1.50
                  DNS: server.nigam.com

          Destination: 192.168.1.255
                  DNS: [No reverse dns info available]

   Overall scan start: Tue May  3 18:40:20 2016
   Total email alerts: 37
   Complete UDP range: [32412-32414]
      Syslog hostname: nook

         Global stats:
                       chain:   interface:  protocol:  packets:
                       INPUT    br1         udp        6
                       OUTPUT   br1         udp        12

From the router:

=-=-=-=-=-=-=-=-=-=-=-= Tue May  3 18:40:49 2016 =-=-=-=-=-=-=-=-=-=-=-=


         Danger level: [2] (out of 5)

    Scanned UDP ports: [42608-58785: 6 packets, Nmap: -sU]
       iptables chain: INPUT (prefix "[UFW AUDIT]"), 6 packets

               Source: 192.168.1.1
                  DNS: NigamNet

          Destination: 192.168.1.69
                  DNS: nook.nigam.com

   Overall scan start: Tue May  3 18:35:58 2016
   Total email alerts: 39
   Complete UDP range: [32911-60857]
      Syslog hostname: nook

         Global stats:
                       chain:   interface:  protocol:  packets:
                       INPUT    br1         udp        119

From localhost:

=-=-=-=-=-=-=-=-=-=-=-= Tue May  3 18:40:47 2016 =-=-=-=-=-=-=-=-=-=-=-=


         Danger level: [1] (out of 5) Multi-Protocol

    Scanned UDP ports: [33335: 2 packets, Nmap: -sU]
       iptables chain: INPUT (prefix "[UFW AUDIT]"), 1 packets
       iptables chain: OUTPUT (prefix "[UFW AUDIT]"), 1 packets

               Source: 127.0.0.1
                  DNS: localhost

          Destination: 127.0.0.1
                  DNS: localhost

   Overall scan start: Tue May  3 18:40:20 2016
   Total email alerts: 5
   Complete TCP range: [6789]
   Complete UDP range: [33335]
      Syslog hostname: nook

         Global stats:
                       chain:   interface:  protocol:  packets:
                       OUTPUT   lo          tcp        3
                       OUTPUT   lo          udp        3
                       INPUT    lo          tcp        3
                       INPUT    lo          udp        3

From my Roku:

=-=-=-=-=-=-=-=-=-=-=-= Tue May  3 07:03:33 2016 =-=-=-=-=-=-=-=-=-=-=-=


         Danger level: [3] (out of 5)

    Scanned UDP ports: [41598: 1 packets, Nmap: -sU]
       iptables chain: INPUT (prefix "[UFW BLOCK]"), 1 packets

               Source: 192.168.1.108
                  DNS: NP-4124DU054440.nigam.com

          Destination: 192.168.1.69
                  DNS: nook.nigam.com

   Overall scan start: Tue May  3 00:12:39 2016
   Total email alerts: 191
   Complete UDP range: [39474-41598]
      Syslog hostname: nook

         Global stats:
                       chain:   interface:  protocol:  packets:
                       INPUT    br1         udp        195
IMTheNachoMan
  • 245
  • 2
  • 15

1 Answers1

1

You have to tune your firewall if you'd like to reduce this kind of noise.

In your case, one possible way might be to add a rule to your firewall that allows all incoming connections on UDP ports that originate from your local network.

wulfgarpro
  • 196
  • 1
  • 5