The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Frequent UDP_IN Blocked for Port Scanning

Discussion in 'Security' started by Another Blogger, Jan 4, 2013.

  1. Another Blogger

    Joined:
    Jan 4, 2013
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hello everyone

    I run a blog self-hosted with Wordpress. I'm getting frequent email notifications from LFD regarding UDP_IN blocks. I usually get 10+ emails daily about it.

    The email looks like following:

    ===============
    Time: Tue Jan 1 22:16:42 2013 +0530
    IP:
    Hits: 11
    Blocked: Temporary Block

    Sample of block hits:
    Jan 1 22:14:46 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17414 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:14:46 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=412 TOS=0x00 PREC=0x00 TTL=111 ID=17415 PROTO=UDP SPT=500 DPT=500 LEN=392
    Jan 1 22:16:21 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17435 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:16:21 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=412 TOS=0x00 PREC=0x00 TTL=111 ID=17436 PROTO=UDP SPT=500 DPT=500 LEN=392
    Jan 1 22:16:21 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17437 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:16:21 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=412 TOS=0x00 PREC=0x00 TTL=111 ID=17438 PROTO=UDP SPT=500 DPT=500 LEN=392
    Jan 1 22:16:23 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17439 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:16:26 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=440 TOS=0x00 PREC=0x00 TTL=111 ID=17441 PROTO=UDP SPT=500 DPT=500 LEN=420
    Jan 1 22:16:26 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=412 TOS=0x00 PREC=0x00 TTL=111 ID=17442 PROTO=UDP SPT=500 DPT=500 LEN=392
    Jan 1 22:16:39 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=420 TOS=0x00 PREC=0x00 TTL=111 ID=17450 PROTO=UDP SPT=500 DPT=500 LEN=400
    Jan 1 22:16:39 host kernel: Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=392 TOS=0x00 PREC=0x00 TTL=111 ID=17451 PROTO=UDP SPT=500 DPT=500 LEN=372
    ===============

    Almost everytime the blocked IP address is different. I want to know is it some kind of attack or is it a false positive?

    Thanks in advance.
     

Share This Page