UFW and On-Reboot Audit?

I asked my Pi 4b to reboot almost 3 hours ago after installing the latest stable update.

All this time, it’s been auditing my ufw logs. I’m ready to tear my hair out.

A couple of questions:

  1. what level of UFW loging is actually useful to display intrusion attempts from the internet?
  2. Would I be better off doing something else? (e.g., setting up open-canary as a honeypot?
  3. What’s the best way to clear the existing UFW log?
  4. Is there some way to cancel the audit?

You can manage it with gufw.

1 Like

@Darksky,

Thanks for your reply. I’ve actually been using gufw. I really like it; as much as I like to stay on the command line whenever possible just because the Pi performs better without the GUI, trying to configure a firewall using the CLI UFW commands is not something I’m comfortable with. Not to mention the GUI can’t alter rules set with ufw via the command line.

The problem I’m running into right now is I screwed up the logging settings, and it logged EVERYTHING, and I tried to restart the Pi four hours ago, only for it to start auditing every single ufw log entry.

It hasn’t stopped, and it’s not exactly going fast. Given that I’ve had UFW enabled for several days/a couple weeks, I have no idea when it’s going to finish.

What would happen if I hard powered off the pi during the audit? Could I pull the card and blast out the UFW logs on another computer, and then re-insert it? Even if it tried to audit the logs again, there would be no logs.

Then I could fix the firewall settings so this doesn’t happen again. That is, turn all the logging to its lowest settings.

This is fairly ridiculous. I did the stable update this afternoon, rebooted, and have been auditing UFW log entries ever since.

No sure what you mean by audit. If you mean audit in dmesg that is supposed to be turned off in /boot/cmdline.txt. Auditing the log does not make much sense either.

Okay, curiouser and curiouser.

In cmdline.txt, I clearly see audit=0.

root=LABEL=ROOT_MNJRO rw rootwait console=ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_enable=0 kgdboc=ttyAMA0,115200 elevator=noop usbhid.mousepoll=8 snd-bcm2835.enable_compat_alsa=0 audit=0 cgroup_enable=memory swapaccount=1

But for 5 hours I watched something issue various AUDIT commands related to UFW. It was looking at every single item in the log. (e.g., connection in from address X on interface Y to port Z, etc.)

I have no idea.

EDIT: Back up. I realized the UFW logs were rolled into the journal, so I backed up that folder (appended .old to folder inside /journal/ containing the actual journal files), and the pi booted as normal.

LightDM isn’t starting anymore, but I think that must have something to do with the latest stable update. I’m not really worried about it at this point.