Skip to main content

Monitoring UFW Logs for Blocked Connections

This guide provides instructions on how to monitor UFW (Uncomplicated Firewall) logs to detect and view blocked connections in real-time. This is useful for troubleshooting and ensuring that your firewall rules are working as expected.

Steps to Monitor UFW Logs

Step 1: Open the Terminal

Begin by opening the terminal on your system. You can do this by pressing Ctrl + Alt + T or by navigating to the terminal application from the system menu.

Step 2: Use the tail Command with grep

Use the tail command combined with grep to filter and display real-time UFW log entries that contain the word 'BLOCK'. This command will continuously monitor the UFW log file and highlight any blocked connections.

sudo tail -f /var/log/ufw.log | grep 'BLOCK'

Explanation of the Command:

  • sudo: Runs the command with superuser privileges, which is necessary to access the UFW log file.
  • tail -f /var/log/ufw.log: Continuously displays new entries appended to the UFW log file.
  • grep 'BLOCK': Filters the output to show only lines containing the word 'BLOCK'.

Example Output

When you run the command, you will see output similar to the following for each blocked connection:

Jun 10 12:34:56 hostname kernel: [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx SRC=192.168.1.100 DST=192.168.1.101 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54321 DF PROTO=TCP SPT=12345 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0

Explanation of the Output:

  • Jun 10 12:34:56: The date and time of the log entry.
  • hostname: The hostname of the system.
  • kernel: Indicates that the message is from the kernel.
  • [UFW BLOCK]: Shows that this entry is a blocked connection by UFW.
  • IN=eth0: The network interface where the packet was received.
  • SRC=192.168.1.100: The source IP address of the blocked connection.
  • DST=192.168.1.101: The destination IP address of the blocked connection.
  • PROTO=TCP: The protocol used (e.g., TCP).
  • SPT=12345: The source port of the blocked connection.
  • DPT=80: The destination port of the blocked connection.

Summary

By using the tail command with grep, you can efficiently monitor UFW logs in real-time to detect and analyze blocked connections. This is a valuable technique for maintaining and troubleshooting your firewall configuration.

For more advanced monitoring and log analysis, consider using log management tools or setting up more complex filtering and alerting mechanisms.

Back to top