top of page

Firewall

This week was full of bugs and errors and problems.

I made it through with a lot of help from my friends: Thank you Noah Pivnick for trying to understand why digital ocean was so stubborn , Noah Kernis for debugging with me my ssh key, Matt Ross for explaining how to move files from the server to my computer and parsing log files in python.

1 / Setting up a firewall on my service

I followed the step by step explanation on understanding network website.


2 / Once i was active, I wanted to understand how to record my findings.


> Created a ufw status > ufw.log and save it in my server.

> I wanted to save the file on my desktop in order to parse it.


1. exit First i needed to exit my server root and go back to my computer.

2. untill now when entering my server i wrote ssh root@....., in order to copy securly files from my server to my computer i need to write scp - secure copy.

3. csp root@.....:/var/log/ufw.log . - The dot in the end is asking to move this file to here. here is equal to my home.

4. After i had a copy on my computer - i could easly cat ufw.log and see who is trying to reach me


After this step, I wanted to understand how to parse my data. Using python seemed like the best way to parse the lines in the log file.


Each line have the following information, i used this source to identify the purpose of each element given to me in the status:

Date and time: Nov 3 23:01:42

The server’s hostname :ubuntu-s-1vcpu-1gb-nyc3-01 kernel:

The time in seconds since boot: [175012.322739]

Logged Event: Short description of the logged event: [UFW BLOCK]

If we set it, then the event was an incoming event: IN=eth0

If set, then the event was an outgoing event: OUT=

14-byte combination of the Destination MAC, Source MAC, and EtherType fields: MAC=ca:73:2e:2c:6a:37:64:c3:d6:0b:ef:f0:08:00

source IP, who sent the packet initially: SRC=42.232.114.5

destination IP, who is meant to receive the packet: DST=157.245.112.238

This indicates the length of the packet: LEN=40

Precedence field of the IPv4 header: REC=0x00

“Time to live” for the packet. Basically each packet will only bounce through the given number of routers before it dies and disappears.: TTL=47

ufw’s internal ID system:ID=37723

protocol of the packet: PROTO=TCP

SRC IP sent the IP packet over: SPT=23516

destination port: DPT=60001

size of packet the sender is willing to receive: WINDOW=62381

RES=0x00

Connection requires a three-way handshake, which is typical of TCP connections: SYN URGP=0


First, i split the lines:

After understanding how to split the lines and which line i need or want, i created a for loop for everything that i was intersted in analysing later.

I got a lot of data and i was intersted mainly in the SRC and their information, who are the countries or the companies that are trying to come through my server.


I had 5,439 IP addresses trying to go from my server:

United States 711

Russia 148

Seychelles 165

France 29

Netherlands 73

Bulgaria 1

Vietnam 66

Latvia 56

Italy 52

South Korea 2

Germany 30

Taiwan 151

Philippines 11

Spain 48

Thailand 18

Ireland 1

Indonesia 39

Greece 75

Japan 37

Singapore 21

Sweden 15

Romania 46

Malaysia 14

Mexico 19

Turkey 33


United states, Russia, Seychelles and Taiwan were in my top 4.


Then using a bulk online ip locators for the first 600 lines from my ufw status. I was able to take a closer look on the owners of these ip addresses:


Aruba S.p.A. 6

Aruba Cloud is our Cloud service brand for the European market: hosting, backups, object storage.


Asiamax Technology Limited VPN Service Provider Hong Kong 18

VPN Service Provider


CHINA UNICOM China 169 Backbone 31

China Unicom IP network

Found this about china unicom but couldn't understand much about the data.


Data Communication Business Group 24

Part of Chunghwa Tellecom which is the largest telecommunications company in Taiwan and the incumbent mobile, PSTN and broadband carrier there. It has its headquarters in Zhongzheng District, Taipei on the remains of the old Taipei Prison.


Hurricane Electric LLC 9

Hurricane Electric is a global Internet service provider offering IPv4 and IPv6 Internet access, transit, tools, and network applications, as well as data center colocation and hosting services and in San Jose, California and in Fremont, California, where the company is based.


SS-Net 55

person: Svetoslava Dimova address: 51 Volga str., Entr.6, Flat 11 address: 4020 Plovdiv address: Bulgaria


No.31 Jin-rong Street 33

According to spamhaus - this is one of The World's Worst Botnet ASNs

This specific bot have the highest number of detected spam as listed in the Spamhaus XBL zone, sorted by ASN.


IT Proximus UAB 33

Jasinskio 16C LT03163 Vilnius LITHUANIA

phone:   +37062945155


UK-2 Limited 2


Corporación Telemic C.A. 2

Inter is a Venezuelan television broadcaster and telecommunications provider headquartered in Barquisimeto, Lara, Venezuela. Inter was founded in 1996 as InterCable. Its fiscal name is Corporacion Telemic C.A, and its main shareholder is the investment fund HM Capital Partners.

Inter offers digital cable TV services since 2002 and digital satellite television as of August 2012, currently providing up to 125 different channels, some featured products are:

Video on Demand (VOD)HD Channels: The company offers sports, series, documentaries and cinema channels in high definition, which can only be seen using a specific digital decoder for this technology.


EDATEL S.A. E.S.P 2

Estro Web Services Private Limited 3

Fikri DAL 2

Forthnet 2

Guangdong Mobile Communication Co.Ltd. 7


IP CHistyakov Mihail Viktorovich 1


Iran Telecommunication Company PJS 2

Internet Service provider:

No 43, Floor 7, 1969764913 Tehran

IRAN, ISLAMIC REPUBLIC OF IRAN.


Jordan Data Communications Company LLC 1

Sky UK Limited 2

Societatea mixta pe actiuni de tip inchis 1

Interdnestrcom 6






29 views0 comments

Recent Posts

See All

Comments


bottom of page