Debian – How to Secure a Server with UFW Under Attack

apache-2.4debianufw

I am running Apache on Debian.

Below is a sample of entries in my apache error log. Question 1: Is the server under attack (I see about a 30-40 such entries every hour). I am presuming that these are attacks on or at least probes into my server.

[Sun Feb 13 16:37:54.013622 2022] [:error] [pid 16071] [client 106.193.114.87:19356] PHP Notice: Undefined variable: error_msg in /var/www/example.com/page-sidebar-both.php on line 57, referer: https://example.com/podbanks/abresult.php?ab=ab18&lg=English

[Sun Feb 13 16:38:01.289976 2022] [:error] [pid 16109] [client 106.193.114.87:19358] PHP Notice: Undefined variable: result_msg in /var/www/example.com/abc/defg.php on line 210, referer: https://example.com/result.php?ab=ab18&lg=English

[Sun Feb 13 16:38:01.290048 2022] [:error] [pid 16109] [client 103.77.154.37:1842] PHP Notice: Undefined variable: status in /var/www/example.com/pods/dashboard.php on line 210, referer: https://example.com/result.php?ab=AB18&lg=English

[Sun Feb 13 16:38:26.788827 2022] [:error] [pid 15961] [client 54.90.210.118:36104] PHP Notice: Undefined variable: BaseURL in /var/www/example.com/biz.php on line 63

(the pages and variables are valid, but the port numbers are strange).

Question 2: If these are attacks, can I stop them with UFW?
I currently have:

To                         Action      From
--                         ------      ----
WWW Full                   ALLOW       Anywhere
3306                       ALLOW       Anywhere
22                         ALLOW       Anywhere
8081                       ALLOW       Anywhere
1185                       ALLOW       Anywhere
WWW Full (v6)              ALLOW       Anywhere (v6)
3306 (v6)                  ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
8081 (v6)                  ALLOW       Anywhere (v6)
1185 (v6)                  ALLOW       Anywhere (v6)

8081                       ALLOW OUT   Anywhere
8081 (v6)                  ALLOW OUT   Anywhere (v6)

Are these following steps valid and complete considering the above?

ufw disable
ufw default deny incoming
ufw default allow outgoing
ufw allow OpenSSH
ufw allow WWW Full
ufw allow 1185
ufw allow 3306
ufw enable

(line 1 is to make sure I don't get locked out – I am using PuTTY)

Question 3: Do I really need to open 3306 if MySQL is only used locally? I only give access to the database through php queries which are password and session protected.

Question 4: Do I need port 8081 at all? Is it automatically added by "WWW Full"?

Best Answer

(the pages and variables are valid, but the port numbers are strange).

The port numbers are normal. It's the clients ephemeral ports.

Question 2: If these are attacks, can I stop them with UFW? I currently have:

Generally no. You need to filter at the applicable level, and you want traffic to reach Apache - so you can't filter at L3.

Do I really need to open 3306 if MySQL is only used locally? I only give access to the database through php queries which are password and session protected.

No. You don't. Local mySQL goes over a socket, not TCP/IP. And even if not, you'd want to only allow it on the loopback interface (127.0.0.1).

Question 4: Do I need port 8081 at all? Is it automatically added by "WWW Full"?

Probably not. But you need to know how your application works.

Related Topic