Question

Cloud Firewall Got Bypassed

Posted November 9, 2021 135 views
FirewallDigitalOcean Cloud Firewalls

I have a droplet that I use for VPN,
I enable cloud firewall and Allow Only all IP to port 1194 UDP

The problem is I see suspicious connection that is blocked in UFW, there are a lot of unknown IP trying to connect to various port. It should be blocked by digitalocean firewall because the port is not 1194. Why this is happen. Does the cloud firewall got bypassed?

Note:

  1. I never turn off the cloud firewall at the moment of suspicious connection
  2. This firewall has established few months, and this is the first time I notice it. I am sure I am not misconfigure, because the firewall is working. But there is suspicious connection at 31 Oct, and 4 Nov

This is some part of my ufw.log

Oct 31 04:56:09 MYDROPLET kernel: [924707.027218] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=221.201.98.177 DST=MYDROPLETIP LEN=132 TOS=0x00 PREC=0x00 TTL=112 ID=12128 PROTO=UDP SPT=56455 DPT=53787 LEN=112
Oct 31 04:56:26 MYDROPLET kernel: [924723.287569] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=41.44.59.128 DST=MYDROPLETIP LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=48741 PROTO=UDP SPT=18956 DPT=53787 LEN=28
Oct 31 04:56:49 MYDROPLET kernel: [924746.844549] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=77.38.77.61 DST=MYDROPLETIP LEN=132 TOS=0x08 PREC=0x00 TTL=38 ID=63816 PROTO=UDP SPT=39392 DPT=53787 LEN=112
Oct 31 04:57:15 MYDROPLET kernel: [924772.753821] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=65.18.122.158 DST=MYDROPLETIP LEN=132 TOS=0x00 PREC=0x00 TTL=116 ID=31446 PROTO=UDP SPT=29123 DPT=53787 LEN=112
Oct 31 04:57:26 MYDROPLET kernel: [924783.550471] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=67.193.145.94 DST=MYDROPLETIP LEN=132 TOS=0x08 PREC=0x00 TTL=107 ID=40566 PROTO=UDP SPT=6881 DPT=53787 LEN=112
Oct 31 04:57:43 MYDROPLET kernel: [924800.297427] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=65.18.122.158 DST=MYDROPLETIP LEN=132 TOS=0x00 PREC=0x00 TTL=116 ID=31449 PROTO=UDP SPT=29123 DPT=53787 LEN=112
Oct 31 04:58:04 MYDROPLET kernel: [924821.994170] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=86.238.133.0 DST=MYDROPLETIP LEN=132 TOS=0x00 PREC=0x00 TTL=114 ID=51877 PROTO=UDP SPT=64183 DPT=53787 LEN=112
Oct 31 04:58:27 MYDROPLET kernel: [924844.552135] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=77.38.77.61 DST=MYDROPLETIP LEN=48 TOS=0x08 PREC=0x00 TTL=38 ID=63824 PROTO=UDP SPT=39392 DPT=53787 LEN=28
Oct 31 04:58:51 MYDROPLET kernel: [924868.149509] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=221.201.98.177 DST=MYDROPLETIP LEN=132 TOS=0x00 PREC=0x00 TTL=112 ID=12132 PROTO=UDP SPT=56455 DPT=53787 LEN=112
Oct 31 04:59:04 MYDROPLET kernel: [924881.277987] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=67.193.145.94 DST=MYDROPLETIP LEN=132 TOS=0x08 PREC=0x00 TTL=107 ID=40568 PROTO=UDP SPT=6881 DPT=53787 LEN=112
Oct 31 04:59:25 MYDROPLET kernel: [924902.829542] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=65.18.122.158 DST=MYDROPLETIP LEN=132 TOS=0x00 PREC=0x00 TTL=116 ID=31452 PROTO=UDP SPT=29123 DPT=53787 LEN=112
Oct 31 04:59:50 MYDROPLET kernel: [924927.312663] [UFW BLOCK] IN=eth0 OUT= MAC=MACADDRESS SRC=77.38.77.61 DST=MYDROPLETIP LEN=132 TOS=0x08 PREC=0x00 TTL=38 ID=63826 PROTO=UDP SPT=39392 DPT=53787 LEN=112

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hello,

What I could suggest is checking your achieved logs as well to make sure that this has not been happening for longer than just this specific day.

You can use the zgrep -i ufw /var/log/* command to search for any ufw references in the log directory including gziped files.

Also is it possible for you to share a screenshot of your firewall configuration? You can find it at: Networking -> Firewalls & Networking -> Firewalls -> Droplets. Make sure to hide any sensitive information before posting the screenshot.

Best,
Bobby