Understanding Nets » Assignment 04: ufw

2 minute read

Five hours worth of ufw.log entires

My host, undernets.me, has been up since Sunday, September 8th.

root@undernets:~# uptime
 17:35:47 up 57 days,  1:53,  2 users,  load average: 0.00, 0.00, 0.00

The oldest log entry I have is dated Sep 29 06:40:15 so presumably either a. I didn’t turn on ufw until three weeks after I first spun up the instance or b. ufw deletes rolled logs after a certain amount of time.

Most likely it’s the latter. Logs that pile up with being deleted would eventually consume all available storage space. A friend and mentor taught me best practice is to mount /var in it’s own partition for that very reason.

The Dev Ops engineer who taught me what little I know about this stuff was always adamant that a public-facing host be locked down to the greatest extent possible. If you don’t need it, keep it closed. Since the exercise didn’t require anything other than the ability to ssh remotely, the only port I opened up was 22.

root@undernets:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)

Now that I think of it, I can’t recall whether port 22 was open by default on the Digital Ocean image. Or for that matter, whether ufw was enabled by default.

Data

There were roughly 125K ufw.log entries so I pulled approximately five hours worth worth of data from the end of the oldest log, 857 entries in all.

I poked around online a bit to try and figure out how to pull logs from a remote host over an ssh tunnel. The easiest solution I found was a nifty bit of command line wizardry from user Florian Fida on a Unix & Linux Stack Exchange post.

ssh root@undernets.me 'cat /var/ufw.log' > /Downloads/ufw.log

I’m fairly certain this only works because the logs are plain text files and in this circumstance cat is reading the content of the log rather than dealing with actually file transfer. If they were binaries, scp or sftp would be in order. I doubt cat would be of any use.

Once the logs were local, I cleaned them up replacing (most) spaces with commas, changed the file sufix to .csv, and imported the data into a Google Sheet.

Geolocation

For my IP geolocation data I signed up with IP2Location for a demo API key good for 5,000 credits. I opted for IP2Location in part because they provide a nifty Google Sheets add-on for pulling geolocation information directly into the sheet using a simple spreadsheet function. I also opted for IP2Location because I’m woefully inept when it comes to tapping into web APIs and as far as I can tell the the only easy way to utilize Ipinfo.io via web interface is one IP address at a time.

IP source geolocation mapped to coordinates

Bar chart of source IPs by country of origin

Heat map of source IPs by country of origin