Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3

Author Topic: Have You Checked Your Firewall Logs Lately ?.  (Read 2350 times)

tickmike

  • Kitizen
  • ****
  • Posts: 3030
  • Yes Another Penguin !. :)
    • Free Download from.
Have You Checked Your Firewall Logs Lately ?.
« on: October 31, 2016, 09:22:50 PM »

Have You Checked Your Firewall Logs Lately ?.

I am seeing in my Hardware Firewall (Smoothwall ) hundreds/ thousands of hits on Port 23(TELNET)
I have page after page of logs that show the hits are getting more and more each day.    :'(

This is the MIRAI and its variants (MEMES being one of those) Malware.

http://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/

http://www.theregister.co.uk/2016/10/31/iot_botnet_wannabe/

My firewall is working overtime but doing a good job.  :)

Anyone else seeing anything ?.
Logged
I RECOMMEND TRYING / USING PCLinuxOS (www.pclinuxos.com) .
I have a set of 8 fixed IP's From my Eclipse isp.
BT ADSL2 line>HG612 set as a Modem, Bridge, WAN not Bound to LAN1 or 2 >Smoothwall (Hardware Firewall and routing) > Ethernet LAN, DMZ,WiFI LAN and Spare LAN .
DSLstats LAN2  linked Ethernet

skyeci

  • Reg Member
  • ***
  • Posts: 823
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #1 on: October 31, 2016, 09:37:37 PM »

My pfsense box is getting hit masses today on port 23 from
116.101.49.194 all the way from hanoi...
Logged
Sky Fibre Pro -  8800NL v1 + PFSENSE (APU2C4) 2.4.0 with ipv6 , AC-88U WAP- ECI cab, G.INP disabled as of 8th April 2016

http://www.mydslwebstats.co.uk user upload ID skyECI (using a pi3)

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 19104
  • Over the Rainbow
    • The ELRepo Project
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #2 on: October 31, 2016, 09:43:12 PM »

Yes, I am also seeing regular attempted probes of port 23.  >:(

In fact my security log has had quite a significant increase in entries over the last month (or so).

Brazil, North Korea, Vietnam, South Korea, Germany, Lithuania, Romania, Uncle Sam, China, Russia . . . and so the list goes on.

The only countries I haven't detected as the origin of probes are Wales, Scotland, Ireland and England.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Ignitionnet

  • Reg Member
  • ***
  • Posts: 527
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #3 on: October 31, 2016, 10:01:32 PM »

Nope. The SNR on such things is really low.
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3030
  • Yes Another Penguin !. :)
    • Free Download from.
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #4 on: November 01, 2016, 12:30:36 AM »

re, 'In fact my security log has had quite a significant increase in entries over the last month (or so).' yes same with me >:D

Also probing port 25(SMTP)  :o

Accessing my HG612 from my LAN on 23 is still ok is it ?.
Logged
I RECOMMEND TRYING / USING PCLinuxOS (www.pclinuxos.com) .
I have a set of 8 fixed IP's From my Eclipse isp.
BT ADSL2 line>HG612 set as a Modem, Bridge, WAN not Bound to LAN1 or 2 >Smoothwall (Hardware Firewall and routing) > Ethernet LAN, DMZ,WiFI LAN and Spare LAN .
DSLstats LAN2  linked Ethernet

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 19104
  • Over the Rainbow
    • The ELRepo Project
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #5 on: November 01, 2016, 01:20:34 AM »

Accessing my HG612 from my LAN on 23 is still ok is it ?.

Yes, assuming you have configured the HG612 at Advanced ---> Firewall to set the ACL as per the Kitz wiki article.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Kitizen
  • ****
  • Posts: 4004
  • Retd sw dev; A&A; 3 × 7km ADSL2; IPv6; Firebrick
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #6 on: November 01, 2016, 06:24:54 AM »

I'm getting several inbound IPv4 TCP dest-port=23 packets per second, addressed to various seemingly random destination IPs within my LAN range. I'm not seeing destination address range scans from a single source IP, nor any destination port range scans, there just seems to be no pattern. All TCP packets, no UDP much, and no IPv6. Various countries, and port 23 dominates. I saw five such packets in one second during a 30 s packet capture.
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3030
  • Yes Another Penguin !. :)
    • Free Download from.
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #7 on: November 01, 2016, 10:39:10 AM »

Yes, assuming you have configured the HG612 at Advanced ---> Firewall to set the ACL as per the Kitz wiki article.

Remember I use a 'smoothwall' box as my firewall after the modem, so my HG612 firewall is set to 'Disable'  :-\
I do not want to double NAT !.
What's ACL ?.
Logged
I RECOMMEND TRYING / USING PCLinuxOS (www.pclinuxos.com) .
I have a set of 8 fixed IP's From my Eclipse isp.
BT ADSL2 line>HG612 set as a Modem, Bridge, WAN not Bound to LAN1 or 2 >Smoothwall (Hardware Firewall and routing) > Ethernet LAN, DMZ,WiFI LAN and Spare LAN .
DSLstats LAN2  linked Ethernet

d2d4j

  • Reg Member
  • ***
  • Posts: 458
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #8 on: November 01, 2016, 11:23:37 AM »

Hi tickmike

ACL is access control list

I'm sorry, I think you have misunderstood, you are NOT double nat, you are just running another firewall upstream to your smoothwall.

However, I am not sure if it's proven that access could be made from your external IP to the hg612 directly.

Also, please remember a lot of these probes are made from bots, so can change the IP address identity

Many thanks

John
Logged

Weaver

  • Kitizen
  • ****
  • Posts: 4004
  • Retd sw dev; A&A; 3 × 7km ADSL2; IPv6; Firebrick
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #9 on: November 01, 2016, 03:31:16 PM »

An ACL is a list of access control entries. Each entry in the list will be a pair of a ‘who’ - something like a user or an address-range - who the entry applies to, followed by rules concerning things that are allowed or forbidden, or else levels of access permitted or some such. An ACL will apply to some object or other. In a file system, an ACL for a file might specify who is allowed to do what to that particular file. In a firewall, ACLs might specify the rules to be applied when certain types of packets are seen heading in one direction or another, with match conditions concerning source or destination addresses, ports and protocol types, and the ACL conditions might be checked at a particular interface.
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 19104
  • Over the Rainbow
    • The ELRepo Project
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #10 on: November 01, 2016, 04:50:20 PM »

I'm getting several inbound IPv4 TCP dest-port=23 packets per second, addressed to various seemingly random destination IPs within my LAN range. I'm not seeing destination address range scans from a single source IP, nor any destination port range scans, there just seems to be no pattern. All TCP packets, no UDP much, and no IPv6. Various countries, and port 23 dominates. I saw five such packets in one second during a 30 s packet capture.

Yes, that reads as familiar.  :-X
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 19104
  • Over the Rainbow
    • The ELRepo Project
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #11 on: November 01, 2016, 05:01:12 PM »

Remember I use a 'smoothwall' box as my firewall after the modem, so my HG612 firewall is set to 'Disable'  :-\

The ACL (already defined by fellow Kitizens, above) for the HG612 is tucked away under the Advanced ---> Firewall setting. The ACL allows rules as to from which interface (WAN & LAN) and by which protocol (HTTP, TELNET, SSH, ICMP Ping, etc) can access be gained to the HG612 itself.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 38396
  • Penguins CAN fly
    • DSLstats
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #12 on: November 02, 2016, 11:23:50 AM »

I'm seeing large numbers of these in my security log:

Quote
Nov  2 11:16:13 daemon alert kernel: Intrusion ->  TCP packet from [ppp1.1] 14.183.71.58:59561 to <My IP address>:23

The 'from' address varies.
Logged
  Eric

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 29903
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #13 on: November 02, 2016, 11:41:31 AM »

Not sure if Im missing something in my settings but I see nothing in my Firewall logs

My Firewall settings are:-
 IPv4 Firewall -> Enable
 IPv6 Firewall -> Enable
 No ACL access rules
 DoS Protection Blocking : Enabled
 Deny Ping Response : Disabled

Log settings are as attached below.

System logging is working because I see all the usual PPPoE, XDSL, Internet, NTP etc stuff .
However, the only things I do see in my security log are things like "User admin login from 192.168.1.2 successful "

Ive just run a scan at GRC.com which says 'Failed Your system REPLIED to our Ping (ICMP Echo) requests,"  which is understandable as its meant to be like that.
Everything else bar that was green & showed as in stealth mode.
« Last Edit: November 08, 2016, 01:05:12 AM by kitz »
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 38396
  • Penguins CAN fly
    • DSLstats
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #14 on: November 02, 2016, 11:54:18 AM »

I'm using the VMG8324 in bridge mode, so the security log is in the separate router (a Billion 7800DXL). Sorry if I caused confusion.
Logged
  Eric
Pages: [1] 2 3
 

anything