Home / ubuntu / Questions / 1117024
Accepted
killer_rabbit
Asked: 2019-02-10 15:44:29 +0800 CST

Strange new rules added to my iptables config... Was my server hacked?

  • 772

Today, I listed my iptables for a routine check -- and discovered two strange UFW rules that I don't remember setting up myself, referring to two specific IP addresses that I can't identify:

-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT

This is kind of scary. Did someone manage to hack into my server and add these rules? If not, what happened?

(And if some malicious agent did hack into my firewall, why would they use ports 5353 and 1900, that aren't being forwarded by my router??)

iptables firewall ufw hacking

2 Answers

  1. Best Answer

    Quoting man ufw:

    NOTES
       On installation, ufw is disabled with  a  default  incoming  policy  of
       deny,  a  default forward policy of deny, and a default outgoing policy
       of allow, with stateful tracking for NEW connections for  incoming  and
       forwarded  connections.  In addition to the above, a default ruleset is
       put in place that does the following:

       [ ... ]

       - ACCEPT mDNS (zeroconf/bonjour/avahi 224.0.0.251 for IPv4 and ff02::fb
       for IPv6) for service discovery (INPUT)

       - ACCEPT UPnP (239.255.255.250 for IPv4 and ff02::f for IPv6) for ser‐
       vice discovery (INPUT)

    So these two rules you are seeing are part of ufw's default settings and allow mDNS and UPnP services to work.

    • 4

  2. Googling says that those IP addresses are related to Simple Service Discovery Protocol (SSDP)/uPnP and iTunes. So it is likely that these rules are related to software you installed and relate to sharing information on a LAN. whois doesn't return any information for either IP.

    See

    https://stackoverflow.com/questions/12483717/what-is-the-multicast-doing-on-224-0-0-251

    and

    https://wiki.wireshark.org/SSDP

    • 1