I have failed logins on my email server most every day, but they're mostly Chinese

I used to get a lot of them but not much any more.

I'm curious about that; an Aspire is a laptop, and your report implies it is exposed to the internet. Typically, a laptop is behind a router doing NAT, which, typically, blocks incoming connection attempts, unless ports have been opened. Do you not use a router, or have you opened ports, presumably including port 8888 (or something mapped to 8888)?

ufw on the VPS I'm experimenting with reports a big jump in blocked connections overnight (my time, that'd be roughly 10:00 - 20:00 UCT), 4,500 entries in the log, compared to about 500 a day in the previous week. fail2ban has been similarly active, too.

Since I'm using Bionic, what should I install to make sure nobody will mess with my stuff? O_o? Or is it safe enough with the updates provided so far by the official repositories? By the way, I've installed the Linux kernel version 5.3.0-26-generic according to uname -a but I thought it was the -hwe version... And how do I change the incoming port?

"UFW BLOCK" indicates it blocked an attempt. The "SYN UGTP = 0" says that hand shaking wasn't achieved. I.e., just a knock coming in through port 40105 and trying to hit 8888. The 40105 port is a TCP port only, so a handshake is necessary.

Actually, I have TWO firewalls. The UFW on this laptop, and the DD-WRT firewall on my Buffalo 600N wireless router. I use the UFW to control things happening on this laptop, like allowing netdata to use port 19999. I use the DD-WRT as a shield against the outside.

I think that what jlittle meant is that a connection attempt shouldn't even reach your laptop's ufw if you're behind a properly configured NAT router. It should be blocked at the router and never forwarded to your internal LAN (to your laptop), unless you have configured your router to Port forward an external port (could be 8888, but doesn't have to be) to port 8888 on your laptop's internal IP (in case you have a firewall on router, it obviously doesn't seem to block it either).

And you obviously can't deduce much of the identity of the "hackers" based on the IP, only the dumbest "hacker" would use their own IP (or even an IP from their own country) for port scans...which are something that you'd need to be overly concerned about, you can get hundreds or even thousands of them daily if you are directly connected to the internet, but they shouldn't get past the router (so I'd check the router settings).

The 8888 is the Google DNS for my DNS3 setting in the DD-WRT router software.

I'm taking an educated guess, and suggest that this is probably unrelated to port 8888, and is rather the IP address 8.8.8.8 of one of google's DNS servers?

You typically set up port forwards if there are servers/services on your internal LAN that you want to be accessible from the internet (like a web server or ssh), then you set up a port forward rule on your router to forward traffic from a port on your router to a specific port and IP on your LAN (for example, you could forward port 8080 on your router to 192.168.1.80:80 [the internal IP and port of your web server], after which the web server could be accessed from the internet with your.router.outward.ip:8080). If that doesn't ring any bells, then I think it is safe to assume you have not (intentionally) set up any forwards on your router.

Note that the router also does automatic port forwarding on connections initiated from your LAN to the internet (so it can forward the responses back to the machine that made the connections), but that does not apply to connections initiated from the internet (you'll need manual port forward rules [or set up DMZ] for that). Another service that can affect forward rules is UPnP (check if it's enabled on your router, as a general rule it should be disabled for security).

The basic concepts are explained in short here: https://wiki.dd-wrt.com/wiki/index.php/Port_Forwarding

I looked into where the 8888 come from. At first, because it is a Google DNS IP address, I thought it was related to that. However, while examining my DD-WRT firewall settings I noticed that 8888 is a port-forwarding required for sagemath, which I had forgotten about. So, I now disable it when I am not using it. I am running the last version of SageMath that will run locally without using the Jupyter interface or the cloud, so it is now an unsupported release.

I checked on the malware associated with the DD-WRT firmware in my Buffalo WZR-600DHP router and found that there were several related to it. Also, Buffalo, since the router is 4 years old, they no longer update the firmware. Tomato has some malware too, so I am looking into burning the latest OpenWRT firmware onto it.

That port forward explains why the packet reached your laptop's ufw (which was the main question), so your router seems to be functioning properly. Disabling the port forward is sort of redundant, since the port is blocked by your laptop's ufw, unless you want sagemath to be only accessible from hosts on your LAN and not from the internet (in which case the port forward is unnecessary). I'm not familiar with sagemath, so I don't know what it uses the port 8888 for and why it is "required" (is it necessary for it to be accessible by hosts on the internet?), but if you have your laptop's ufw blocking the connections, the functionality will not be usable (whether you enable port forwarding on your router or not).

In short:
1. If sagemath should be receiving connections from your LAN only: No need to forward ports on your router, but your ufw should not block it.
2. If sagemath should be accesible from the internet: Need port forward on router, your ufw should not block it.
3. If sagemath should not be accessible from anywhere: No need to forward ports on your router, you can let ufw block it (though it isn't really necessary).
Unfortunately I can't give you any recommendations because I'm not familiar with sagemath and what it uses the port for (it if recommends/requires port forwarding of port 8888, it obviously is meant to listen for connections for some reason).

Theoretically, while the ufw block could be the result of a fairly common port scan (the port forward explains why only this packet reached your laptop's ufw) or, much more unlikely, a directed attack for a vulnerability in sagemath (or another software using the same port), it could well be a legitimate connection attempt for sagemath if, for example, sagemath does something like share computational load between hosts on the internet (which requires these hosts to be able to connect to other hosts through the internet).

While it's generally a good idea to keep your router software up to date, the most important thing is not to enable the remote management interface from the internet (especially with default/weak passwords) as this is the most common method of breaking into routers (not that anything on this thread suggests your router has been broken into).

A few weeks ago I briefly tried the latest version of SageMath, which disables local worksheets in favour of "CoCalc, which is a sophisticated online workspace that supports Jupyter notebooks and SageMath worksheets". I removed that version and fetched my previous version, 8.9, from an old BTRFS subvolume archive and installed it. That version doesn't require the 8888 port and runs perfectly.


Moving to Focal has caused me to look more closely at my ufw and DD-WRT firewalls. They have too much cruft. I've started to revamp them. After doing "ufw reset" and entering a new set rules, then disabling and enabling, the rules are there in the rules tab, but the report tab still shows the old rules. Something broken or something to learn.

EDIT:
No sooner written than found ... something to learn. My old rules keep appearing because:
"As you probably know, iptables firewall rules will be flushed when the OS shuts down and the iptables program itself does not restore the firewall rules. UFW by default restores firewall rules after system reboot. Before using UFW, it’s important that you check whether there’s another iptables restore service on your system. If there are two restore services, they will conflict with each other, which often results in web applications not available after system reboot. If you were using iptables firewall directly and now you want to switch to UFW, you just need to disable your iptables restore service. Iptables-persistent is a well-known iptables restore service on Debian/Ubuntu."
https://www.linuxbabe.com/security/u...ux-mint-server

Just like Faraday's Cage, I forgot all about systemd. Except that on Focal it is called ufw.service.