如何判断 UFW 阻止了哪个应用程序

如何判断 UFW 阻止了哪个应用程序

我有一个正在运行的 Debian 系统乌夫沃。我对所有传出连接设置“默认拒绝”,并根据需要打开特定通信(端口和/或 IP 地址)。

我使用dmesg日志来查看是否有任何内容试图建立出站连接。我通常可以研究 IP 地址和/或端口并弄清楚发生了什么。但是,有没有办法查看哪个应用是否正在尝试发送出站数据包?

答案1

可能最好检查ufw日志。

sudo less /var/log/ufw*

如果没有阻塞日志,请检查日志级别。请记住,更高级别的日志记录可以快速填满您的磁盘。

文件:/etc/ufw/ufw.conf

# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
# See 'man ufw' for details.
LOGLEVEL=low

man ufw显示一些有关日志记录的信息

       logging on|off|LEVEL
              toggle logging. Logged packets use the LOG_KERN syslog facility. Systems configured for rsyslog support may
              also log to /var/log/ufw.log. Specifying a LEVEL turns logging on for the specified LEVEL. The default  log
              level is 'low'.  See LOGGING for details.
........
LOGGING
       ufw  supports multiple logging levels. ufw defaults to a loglevel of 'low' when a loglevel is not specified. Users
       may specify a loglevel with:

         ufw logging LEVEL

       LEVEL may be 'off', 'low', 'medium', 'high' and 'full'. Log levels are defined as:

       off    disables ufw managed logging

       low    logs all blocked packets not matching the defined policy (with rate limiting), as well as packets  matching
              logged rules

       medium log  level  low, plus all allowed packets not matching the defined policy, all INVALID packets, and all new
              connections.  All logging is done with rate limiting.

       high   log level medium (without rate limiting), plus all packets with rate limiting

       full   log level high without rate limiting

       Loglevels above medium generate a lot of logging output, and may quickly fill up your disk.  Loglevel  medium  may
       generate a lot of logging output on a busy system.

       Specifying 'on' simply enables logging at log level 'low' if logging is currently not enabled.

日志示例:

May 22 00:06:44 HOSTNAME kernel: [12387117.150851] [UFW -->BLOCK<--] IN=<NIC> OUT= MAC=XXXXXXXXXXXXXXXXXXXXXX SRC=0.0.0.0 DST=XXXXXXXXX LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 

现在我看到您想知道哪个应用程序正在发送它们......也许应用程序日志(失败的尝试)等......

您还可以打开端口,并使用nethogs查看谁正在使用带宽并从那里开始。之后关闭端口。

相关内容