pertm84
Posts: 29
Joined: Sat Oct 20, 2018 10:59 am
Location: Norway

UFW Block in=br0 spams logfile

Fri Mar 01, 2019 12:36 pm

I have a rpi3 setup as a webcam to monitor my boat using Motion, installed ssh keys, fail2ban, ufw and all that.
The pi can run for days and weeks, then it suddenly "hangs".
I have tried to use cron to reboot it every 24 hours, but it doesn't seem to work.
The pi is run in bridge mode, with eth0 connected to a wireless router. (I know its not necessary, but I've set it up, and the traffic to/from the pi is working, so I didn't want to mess with it again because its located far away from me.)

I think maybe the logfiles have something to do with the hangups, if they become too large?
I have not been able to use scp to copy messages.log through ssh, it says permission denied, or file not found. Anyways, the UFW logfile has LOADS of this:

Code: Select all

Feb 27 18:50:03 raspberrypi kernel: [277801.939611] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 27 18:52:08 raspberrypi kernel: [277927.381049] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 27 18:54:14 raspberrypi kernel: [278052.822438] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 27 18:55:47 raspberrypi kernel: [278146.664563] [UFW BLOCK] IN=br0 OUT= MAC=b8:27:eb:b6:9b:dc:34:ba:9a:5e:7f:b0:08:00 SRC=185.176.26.107 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=9942 PROTO=TCP SPT=51752 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
Feb 27 18:56:19 raspberrypi kernel: [278178.264000] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Feb 27 18:57:14 raspberrypi kernel: [278232.797577] [UFW BLOCK] IN=br0 OUT= MAC=b8:27:eb:b6:9b:dc:34:ba:9a:5e:7f:b0:08:00 SRC=191.96.110.53 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=239 ID=59490 PROTO=TCP SPT=56892 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
From a part of the Messages.log:

Code: Select all

Mar  1 13:00:04 raspberrypi motion: [0:motion] [NTC] [ALL] conf_load: Processing thread 0 - config file /etc/motion/motion.conf
Mar  1 13:00:04 raspberrypi motion: [0:motion] [NTC] [ALL] motion_startup: Motion 4.0 Started
Mar  1 13:00:04 raspberrypi motion: [0:motion] [NTC] [ALL] motion_startup: Logging to file (/var/log/motion/motion.log)
Mar  1 13:01:51 raspberrypi kernel: [429711.547632] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:03:56 raspberrypi kernel: [429836.989812] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:06:02 raspberrypi kernel: [429962.430708] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:08:07 raspberrypi kernel: [430087.872014] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:10:12 raspberrypi kernel: [430213.313485] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:12:18 raspberrypi kernel: [430338.755436] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:14:23 raspberrypi kernel: [430464.196373] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:16:29 raspberrypi kernel: [430589.637913] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:18:34 raspberrypi kernel: [430715.079289] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:20:40 raspberrypi kernel: [430840.520763] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
Mar  1 13:22:45 raspberrypi kernel: [430965.962302] [UFW BLOCK] IN=br0 OUT= MAC=01:00:5e:00:00:01:34:ba:9a:5e:7f:b0:08:00 SRC=0.0.0.0 DST=221.1.1.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

Any ideas?

epoch1970
Posts: 3664
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: UFW Block in=br0 spams logfile

Fri Mar 01, 2019 1:05 pm

221.1.1.1 is a public IP address managed by APNIC.
http://wq.apnic.net/apnic-bin/whois.pl

Is it possible you misconfigured 224.1.1.1 (a multicast address) as 221.1.1.1?
Anyway 224.1.1.1 is a reserved address as well.

See here if you need to pick a mulicast address for your local network
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

pertm84
Posts: 29
Joined: Sat Oct 20, 2018 10:59 am
Location: Norway

Re: UFW Block in=br0 spams logfile

Fri Mar 01, 2019 1:15 pm

Thanks for the reply! Actually, I changed that IP in the post above because I am not too experienced with these security measures and did not want hackers to know my ip. I thought maybe it was my routers IP. The actual data is 224.0.0.1

I find it hard to know what I can safely share from my logfiles..

The UFW log also contains this:

Code: Select all

Mar  1 10:43:28 raspberrypi kernel: [421408.940578] [UFW BLOCK] IN=br0 OUT= MAC=b8:27:eb:b6:9b:dc:34:ba:9a:5e:7f:b0:08:00 SRC=71.6.232.5 DST=192.168.1.2 LEN=44 TOS=0x00 PREC=0x00 TTL=231 ID=54321 PROTO=TCP SPT=59162 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
Which is a hack-attempt from San-Diego yes? Or they used a vpn..

epoch1970
Posts: 3664
Joined: Thu May 05, 2016 9:33 am
Location: Paris, France

Re: UFW Block in=br0 spams logfile

Fri Mar 01, 2019 4:10 pm

Well if the address is 224.x.x.x then it is multicast and non-routable. Local network only, never routed to another network.
I don't see why ufw needs to make a fuss about that. I don't use ufw myself.

EDIT: Actually, in the line we see "proto=2", which is IGMP and a MAC source of 01:00:5e:0:0:1. IP was confirmed as 224.0.0.1, so this is definitely an IGMPv1 query sent every now and then, by the bridge itself I think. UFW should have no part in this.

The other log is an attempt to connect to 5900/tcp, the port standardized for VNC (aka RFB).
RFB is also used by Macs. If you changed your router config to redirect 5900/tcp to Pi, perhaps someone used to connecting to some Mac within your LAN sees its attempts rejected...
Very common protocol, many users, could be anything really.
Last edited by epoch1970 on Sat Mar 02, 2019 11:18 am, edited 2 times in total.
"S'il n'y a pas de solution, c'est qu'il n'y a pas de problème." Les Shadoks, J. Rouxel

pertm84
Posts: 29
Joined: Sat Oct 20, 2018 10:59 am
Location: Norway

Re: UFW Block in=br0 spams logfile

Fri Mar 01, 2019 6:32 pm

I see. I hoped there was some way to filter out those messages from the log files, because they really fill them up. About 1000 lines per day..

User avatar
DougieLawson
Posts: 36111
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: UFW Block in=br0 spams logfile

Sat Mar 02, 2019 12:25 am

If you just want to stop the logging try ufw logging off
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

pertm84
Posts: 29
Joined: Sat Oct 20, 2018 10:59 am
Location: Norway

Re: UFW Block in=br0 spams logfile

Mon Mar 04, 2019 8:39 am

Thanks for the Reply, Dougie. I want to keep the actually hack logging on, but all the unnecessary, non-source messages should be filtered out.
I have tried to set the ufw logging to low for now.

User avatar
DougieLawson
Posts: 36111
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: UFW Block in=br0 spams logfile

Mon Mar 04, 2019 9:01 am

In that case you may need to hack the python code to change the logging level for these noisy messages.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Return to “General discussion”