5

I have the following UFW Block entry. How do I get the source MAC? I'm getting a ton from the same MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 doing port scanning. If it matters, I'm using 12.04 LTS.

Feb  4 17:46:06 ChromeBox-Server kernel: [663960.096168] [UFW BLOCK] IN=eth0 OUT= MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 SRC=123.129.216.39 DST=192.168.1.10 LEN=48 TOS=0x00 PREC=0x20 TTL=115 ID=49547 PROTO=TCP SPT=1535 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
user244712
  • 73
  • 1
  • 4

2 Answers2

7

MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 can be broken up as

  • destination MAC (in this case this is the MAC address of your card, since it is an incoming packet): e8:11:32:cb:d9:42

  • source MAC: 54:04:a6:ba:22:f8

  • EtherType: 08:00

So if you want to programmatically extract the source MAC you can do something like this:

cat ufw.log | awk '{print $11}' | cut -d ':' -f7-12
falconer
  • 15,026
  • 3
  • 48
  • 68
  • This makes sense. Now to block that source MAC. – user244712 Feb 06 '14 at 03:50
  • @user244712 That question was asked and answered here: http://askubuntu.com/questions/410023/blocking-specific-mac-address-from-contacting-me-on-local-network – falconer Feb 06 '14 at 12:29
  • Haven't seen any log activity since I blocked that MAC. I used: iptables -I INPUT -p udp -m mac --mac-source 54:04:a6:ba:22:f8 -j REJECT – user244712 Feb 07 '14 at 05:16
  • And iptables -I INPUT -p tcp -m mac --mac-source 54:04:a6:ba:22:f8 -j REJECT – user244712 Feb 07 '14 at 05:17
  • What's the difference in REJECT or DROP? Answer: REJECT sends a response. DROP just doesn't respond at all forcing a timeout. – user244712 Feb 07 '14 at 05:17
  • @user244712 You won't see logs for those which are blocked with the iptables rule. Simple iptables rules are not automatically logged, you have to define a log rule if you want to log them. I don't understand your last comment: If you know the difference between the two, why are you asking? :) – falconer Feb 07 '14 at 13:08
-1

It looks like your network settings may be using IPv6, as MAC=e8:11:32:cb:d9:42:54:04:a6:ba:22:f8:08:00 is an IPv6 address, probably that of your current network connection. A true MAC (Media Access Control) address would only be six groups of hex digits: aa:bb:11:12:34:56.

The teller in this is the DPT=22. They are trying to find open SSH ports. This is fine if you don't have port 22 open (which I generally don't recommend). If you do have/need port 22 open, I hope your username/password combo is robust. You might also want to check out something like Fail2Ban which will impose temporary blocks after a number of failed login attempts, including SSH logins.

If you're constantly getting port-scanned by the same IP - SRC=123.129.216.39 - set up a DENY or DROP rule in UFW for that IP. sudo ufw deny from 123.129.216.39

douggro
  • 2,537
  • I already have Fail2Ban up and running. No, SSH isn't on port 22. This is just one of numerous open port attempts. All on standard ports. It's probably a script kiddie since they haven't bothered to spoof the MAC because the MACs are all the same. – user244712 Feb 06 '14 at 03:13
  • Is the source IP rotating? Just curious. I was getting hit hard for a few days with attempts on my SMTP server from a group of IPs. +1 for Fail2Ban - nice to have that watching your back. – douggro Feb 06 '14 at 06:37
  • Yep. IP was bouncing around but the MAC was the same. Haven't had any log activity since I blocked that MAC. – user244712 Feb 07 '14 at 05:13
  • It's not an IPv6 IP address. – Marnix A. van Ammers Sep 29 '19 at 01:19