Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Frequent UDP_IN Blocked for Port Scanning

Discussion in 'Security' started by Another Blogger, Jan 4, 2013.

  1. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello everyone

    I run a blog self-hosted with Wordpress. I'm getting frequent email notifications from LFD regarding UDP_IN blocks. I usually get 10+ emails daily about it.

    The email looks like following:

    ===============
    Time: Tue Jan 1 22:16:42 2013 +0530
    IP:
    Hits: 11
    Blocked: Temporary Block

    Sample of block hits:
    Jan 1 22:14:46 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17414 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:14:46 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=412 TOS=0x00 PREC=0x00 TTL=111 ID=17415 PROTO=UDP SPT=500 DPT=500 LEN=392
    Jan 1 22:16:21 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17435 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:16:21 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=412 TOS=0x00 PREC=0x00 TTL=111 ID=17436 PROTO=UDP SPT=500 DPT=500 LEN=392
    Jan 1 22:16:21 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17437 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:16:21 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=412 TOS=0x00 PREC=0x00 TTL=111 ID=17438 PROTO=UDP SPT=500 DPT=500 LEN=392
    Jan 1 22:16:23 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17439 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:16:26 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17441 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:16:26 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=412 TOS=0x00 PREC=0x00 TTL=111 ID=17442 PROTO=UDP SPT=500 DPT=500 LEN=392
    Jan 1 22:16:39 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=420 TOS=0x00 PREC=0x00 TTL=111 ID=17450 PROTO=UDP SPT=500 DPT=500 LEN=400
    Jan 1 22:16:39 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=392 TOS=0x00 PREC=0x00 TTL=111 ID=17451 PROTO=UDP SPT=500 DPT=500 LEN=372
    ===============

    Almost everytime the blocked IP address is different. I want to know is it some kind of attack or is it a false positive?

    Thanks in advance.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice