Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3

Author Topic: Have You Checked Your Firewall Logs Lately ?.  (Read 11555 times)

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Have You Checked Your Firewall Logs Lately ?.
« on: October 31, 2016, 09:22:50 PM »

Have You Checked Your Firewall Logs Lately ?.

I am seeing in my Hardware Firewall (Smoothwall ) hundreds/ thousands of hits on Port 23(TELNET)
I have page after page of logs that show the hits are getting more and more each day.    :'(

This is the MIRAI and its variants (MEMES being one of those) Malware.

http://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/

http://www.theregister.co.uk/2016/10/31/iot_botnet_wannabe/

My firewall is working overtime but doing a good job.  :)

Anyone else seeing anything ?.
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

skyeci

  • Kitizen
  • ****
  • Posts: 1383
    • Line stats
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #1 on: October 31, 2016, 09:37:37 PM »

My pfsense box is getting hit masses today on port 23 from
116.101.49.194 all the way from hanoi...

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #2 on: October 31, 2016, 09:43:12 PM »

Yes, I am also seeing regular attempted probes of port 23.  >:(

In fact my security log has had quite a significant increase in entries over the last month (or so).

Brazil, North Korea, Vietnam, South Korea, Germany, Lithuania, Romania, Uncle Sam, China, Russia . . . and so the list goes on.

The only countries I haven't detected as the origin of probes are Wales, Scotland, Ireland and England.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #3 on: October 31, 2016, 10:01:32 PM »

Nope. The SNR on such things is really low.
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #4 on: November 01, 2016, 12:30:36 AM »

re, 'In fact my security log has had quite a significant increase in entries over the last month (or so).' yes same with me >:D

Also probing port 25(SMTP)  :o

Accessing my HG612 from my LAN on 23 is still ok is it ?.
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #5 on: November 01, 2016, 01:20:34 AM »

Accessing my HG612 from my LAN on 23 is still ok is it ?.

Yes, assuming you have configured the HG612 at Advanced ---> Firewall to set the ACL as per the Kitz wiki article.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #6 on: November 01, 2016, 06:24:54 AM »

I'm getting several inbound IPv4 TCP dest-port=23 packets per second, addressed to various seemingly random destination IPs within my LAN range. I'm not seeing destination address range scans from a single source IP, nor any destination port range scans, there just seems to be no pattern. All TCP packets, no UDP much, and no IPv6. Various countries, and port 23 dominates. I saw five such packets in one second during a 30 s packet capture.
Logged

tickmike

  • Kitizen
  • ****
  • Posts: 3640
  • Yes Another Penguin !. :)
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #7 on: November 01, 2016, 10:39:10 AM »

Yes, assuming you have configured the HG612 at Advanced ---> Firewall to set the ACL as per the Kitz wiki article.

Remember I use a 'smoothwall' box as my firewall after the modem, so my HG612 firewall is set to 'Disable'  :-\
I do not want to double NAT !.
What's ACL ?.
Logged
I have a set of 6 fixed IP's From  Eclipse  isp.BT ADSL2(G992.3) line>HG612 as a Modem, Bridge, WAN Not Bound to LAN1 or 2 + Also have FTTP (G.984) No One isp Fixed IP >Dual WAN pfSense (Hardware Firewall and routing).> Two WAN's, Ethernet LAN, DMZ LAN, Zyxel GS1100-24 Switch.

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #8 on: November 01, 2016, 11:23:37 AM »

Hi tickmike

ACL is access control list

I'm sorry, I think you have misunderstood, you are NOT double nat, you are just running another firewall upstream to your smoothwall.

However, I am not sure if it's proven that access could be made from your external IP to the hg612 directly.

Also, please remember a lot of these probes are made from bots, so can change the IP address identity

Many thanks

John
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #9 on: November 01, 2016, 03:31:16 PM »

An ACL is a list of access control entries. Each entry in the list will be a pair of a ‘who’ - something like a user or an address-range - who the entry applies to, followed by rules concerning things that are allowed or forbidden, or else levels of access permitted or some such. An ACL will apply to some object or other. In a file system, an ACL for a file might specify who is allowed to do what to that particular file. In a firewall, ACLs might specify the rules to be applied when certain types of packets are seen heading in one direction or another, with match conditions concerning source or destination addresses, ports and protocol types, and the ACL conditions might be checked at a particular interface.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #10 on: November 01, 2016, 04:50:20 PM »

I'm getting several inbound IPv4 TCP dest-port=23 packets per second, addressed to various seemingly random destination IPs within my LAN range. I'm not seeing destination address range scans from a single source IP, nor any destination port range scans, there just seems to be no pattern. All TCP packets, no UDP much, and no IPv6. Various countries, and port 23 dominates. I saw five such packets in one second during a 30 s packet capture.

Yes, that reads as familiar.  :-X
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #11 on: November 01, 2016, 05:01:12 PM »

Remember I use a 'smoothwall' box as my firewall after the modem, so my HG612 firewall is set to 'Disable'  :-\

The ACL (already defined by fellow Kitizens, above) for the HG612 is tucked away under the Advanced ---> Firewall setting. The ACL allows rules as to from which interface (WAN & LAN) and by which protocol (HTTP, TELNET, SSH, ICMP Ping, etc) can access be gained to the HG612 itself.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #12 on: November 02, 2016, 11:23:50 AM »

I'm seeing large numbers of these in my security log:

Quote
Nov  2 11:16:13 daemon alert kernel: Intrusion ->  TCP packet from [ppp1.1] 14.183.71.58:59561 to <My IP address>:23

The 'from' address varies.
Logged
  Eric

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #13 on: November 02, 2016, 11:41:31 AM »

Not sure if Im missing something in my settings but I see nothing in my Firewall logs

My Firewall settings are:-
 IPv4 Firewall -> Enable
 IPv6 Firewall -> Enable
 No ACL access rules
 DoS Protection Blocking : Enabled
 Deny Ping Response : Disabled

Log settings are as attached below.

System logging is working because I see all the usual PPPoE, XDSL, Internet, NTP etc stuff .
However, the only things I do see in my security log are things like "User admin login from 192.168.1.2 successful "

Ive just run a scan at GRC.com which says 'Failed Your system REPLIED to our Ping (ICMP Echo) requests,"  which is understandable as its meant to be like that.
Everything else bar that was green & showed as in stealth mode.
« Last Edit: November 08, 2016, 01:05:12 AM by kitz »
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: Have You Checked Your Firewall Logs Lately ?.
« Reply #14 on: November 02, 2016, 11:54:18 AM »

I'm using the VMG8324 in bridge mode, so the security log is in the separate router (a Billion 7800DXL). Sorry if I caused confusion.
Logged
  Eric
Pages: [1] 2 3
 

anything