Page 1 of 1

UFW Block in=br0 spams logfile

Posted: Fri Mar 01, 2019 12:36 pm
by pertm84
I have a rpi3 setup as a webcam to monitor my boat using Motion, installed ssh keys, fail2ban, ufw and all that.
The pi can run for days and weeks, then it suddenly "hangs".
I have tried to use cron to reboot it every 24 hours, but it doesn't seem to work.
The pi is run in bridge mode, with eth0 connected to a wireless router. (I know its not necessary, but I've set it up, and the traffic to/from the pi is working, so I didn't want to mess with it again because its located far away from me.)

I think maybe the logfiles have something to do with the hangups, if they become too large?
I have not been able to use scp to copy messages.log through ssh, it says permission denied, or file not found. Anyways, the UFW logfile has LOADS of this:

Code: Select all

Feb 27 18:50:03 raspberrypi kernel: [277801.939611] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 27 18:52:08 raspberrypi kernel: [277927.381049] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 27 18:54:14 raspberrypi kernel: [278052.822438] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 27 18:55:47 raspberrypi kernel: [278146.664563] [UFW BLOCK] IN=br0 OUT= MAC=b8:27:eb:b6:9b:dc:34:ba:9a:5e:7f:b0:08:00 SRC=185.176.26.107 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=9942 PROTO=TCP SPT=51752 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 27 18:56:19 raspberrypi kernel: [278178.264000] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 27 18:57:14 raspberrypi kernel: [278232.797577] [UFW BLOCK] IN=br0 OUT= MAC=b8:27:eb:b6:9b:dc:34:ba:9a:5e:7f:b0:08:00 SRC=191.96.110.53 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=59490 PROTO=TCP SPT=56892 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
From a part of the Messages.log:

Code: Select all

Mar  1 13:00:04 raspberrypi motion: [0:motion] [NTC] [ALL] conf_load: Processing thread 0 - config file /etc/motion/motion.conf
Mar  1 13:00:04 raspberrypi motion: [0:motion] [NTC] [ALL] motion_startup: Motion 4.0 Started
Mar  1 13:00:04 raspberrypi motion: [0:motion] [NTC] [ALL] motion_startup: Logging to file (/var/log/motion/motion.log)
Mar  1 13:01:51 raspberrypi kernel: [429711.547632] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:03:56 raspberrypi kernel: [429836.989812] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:06:02 raspberrypi kernel: [429962.430708] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:08:07 raspberrypi kernel: [430087.872014] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:10:12 raspberrypi kernel: [430213.313485] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:12:18 raspberrypi kernel: [430338.755436] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:14:23 raspberrypi kernel: [430464.196373] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:16:29 raspberrypi kernel: [430589.637913] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:18:34 raspberrypi kernel: [430715.079289] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:20:40 raspberrypi kernel: [430840.520763] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:22:45 raspberrypi kernel: [430965.962302] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

Any ideas?

Re: UFW Block in=br0 spams logfile

Posted: Fri Mar 01, 2019 1:05 pm
by epoch1970
221.1.1.1 is a public IP address managed by APNIC.
http://wq.apnic.net/apnic-bin/whois.pl

Is it possible you misconfigured 224.1.1.1 (a multicast address) as 221.1.1.1?
Anyway 224.1.1.1 is a reserved address as well.

See here if you need to pick a mulicast address for your local network

Re: UFW Block in=br0 spams logfile

Posted: Fri Mar 01, 2019 1:15 pm
by pertm84
Thanks for the reply! Actually, I changed that IP in the post above because I am not too experienced with these security measures and did not want hackers to know my ip. I thought maybe it was my routers IP. The actual data is 224.0.0.1

I find it hard to know what I can safely share from my logfiles..

The UFW log also contains this:

Code: Select all

Mar  1 10:43:28 raspberrypi kernel: [421408.940578] [UFW BLOCK] IN=br0 OUT= MAC=b8:27:eb:b6:9b:dc:34:ba:9a:5e:7f:b0:08:00 SRC=71.6.232.5 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=231 ID=54321 PROTO=TCP SPT=59162 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
Which is a hack-attempt from San-Diego yes? Or they used a vpn..

Re: UFW Block in=br0 spams logfile

Posted: Fri Mar 01, 2019 4:10 pm
by epoch1970
Well if the address is 224.x.x.x then it is multicast and non-routable. Local network only, never routed to another network.
I don't see why ufw needs to make a fuss about that. I don't use ufw myself.

EDIT: Actually, in the line we see "proto=2", which is IGMP and a MAC source of 01:00:5e:0:0:1. IP was confirmed as 224.0.0.1, so this is definitely an IGMPv1 query sent every now and then, by the bridge itself I think. UFW should have no part in this.

The other log is an attempt to connect to 5900/tcp, the port standardized for VNC (aka RFB).
RFB is also used by Macs. If you changed your router config to redirect 5900/tcp to Pi, perhaps someone used to connecting to some Mac within your LAN sees its attempts rejected...
Very common protocol, many users, could be anything really.

Re: UFW Block in=br0 spams logfile

Posted: Fri Mar 01, 2019 6:32 pm
by pertm84
I see. I hoped there was some way to filter out those messages from the log files, because they really fill them up. About 1000 lines per day..

Re: UFW Block in=br0 spams logfile

Posted: Sat Mar 02, 2019 12:25 am
by DougieLawson
If you just want to stop the logging try ufw logging off

Re: UFW Block in=br0 spams logfile

Posted: Mon Mar 04, 2019 8:39 am
by pertm84
Thanks for the Reply, Dougie. I want to keep the actually hack logging on, but all the unnecessary, non-source messages should be filtered out.
I have tried to set the ufw logging to low for now.

Re: UFW Block in=br0 spams logfile

Posted: Mon Mar 04, 2019 9:01 am
by DougieLawson
In that case you may need to hack the python code to change the logging level for these noisy messages.