Kitz Forum
Computer Software => Security => Topic started by: tickmike on October 31, 2016, 09:22:50 PM
-
Have You Checked Your Firewall Logs Lately ?.
I am seeing in my Hardware Firewall (Smoothwall ) hundreds/ thousands of hits on Port 23(TELNET)
I have page after page of logs that show the hits are getting more and more each day. :'(
This is the MIRAI and its variants (MEMES being one of those) Malware.
http://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/
http://www.theregister.co.uk/2016/10/31/iot_botnet_wannabe/
My firewall is working overtime but doing a good job. :)
Anyone else seeing anything ?.
-
My pfsense box is getting hit masses today on port 23 from
116.101.49.194 all the way from hanoi...
-
Yes, I am also seeing regular attempted probes of port 23. >:(
In fact my security log has had quite a significant increase in entries over the last month (or so).
Brazil, North Korea, Vietnam, South Korea, Germany, Lithuania, Romania, Uncle Sam, China, Russia . . . and so the list goes on.
The only countries I haven't detected as the origin of probes are Wales, Scotland, Ireland and England. :)
-
Nope. The SNR on such things is really low.
-
re, 'In fact my security log has had quite a significant increase in entries over the last month (or so).' yes same with me >:D
Also probing port 25(SMTP) :o
Accessing my HG612 from my LAN on 23 is still ok is it ?.
-
Accessing my HG612 from my LAN on 23 is still ok is it ?.
Yes, assuming you have configured the HG612 at Advanced ---> Firewall to set the ACL as per the Kitz wiki article (http://wiki.kitz.co.uk/index.php/Huawei_HG612_-_Routing/Firewall).
-
I'm getting several inbound IPv4 TCP dest-port=23 packets per second, addressed to various seemingly random destination IPs within my LAN range. I'm not seeing destination address range scans from a single source IP, nor any destination port range scans, there just seems to be no pattern. All TCP packets, no UDP much, and no IPv6. Various countries, and port 23 dominates. I saw five such packets in one second during a 30 s packet capture.
-
Yes, assuming you have configured the HG612 at Advanced ---> Firewall to set the ACL as per the Kitz wiki article (http://wiki.kitz.co.uk/index.php/Huawei_HG612_-_Routing/Firewall).
Remember I use a 'smoothwall' box as my firewall after the modem, so my HG612 firewall is set to 'Disable' :-\
I do not want to double NAT !.
What's ACL ?.
-
Hi tickmike
ACL is access control list
I'm sorry, I think you have misunderstood, you are NOT double nat, you are just running another firewall upstream to your smoothwall.
However, I am not sure if it's proven that access could be made from your external IP to the hg612 directly.
Also, please remember a lot of these probes are made from bots, so can change the IP address identity
Many thanks
John
-
An ACL is a list of access control entries. Each entry in the list will be a pair of a ‘who’ - something like a user or an address-range - who the entry applies to, followed by rules concerning things that are allowed or forbidden, or else levels of access permitted or some such. An ACL will apply to some object or other. In a file system, an ACL for a file might specify who is allowed to do what to that particular file. In a firewall, ACLs might specify the rules to be applied when certain types of packets are seen heading in one direction or another, with match conditions concerning source or destination addresses, ports and protocol types, and the ACL conditions might be checked at a particular interface.
-
I'm getting several inbound IPv4 TCP dest-port=23 packets per second, addressed to various seemingly random destination IPs within my LAN range. I'm not seeing destination address range scans from a single source IP, nor any destination port range scans, there just seems to be no pattern. All TCP packets, no UDP much, and no IPv6. Various countries, and port 23 dominates. I saw five such packets in one second during a 30 s packet capture.
Yes, that reads as familiar. :-X
-
Remember I use a 'smoothwall' box as my firewall after the modem, so my HG612 firewall is set to 'Disable' :-\
The ACL (already defined by fellow Kitizens, above) for the HG612 is tucked away under the Advanced ---> Firewall setting. The ACL allows rules as to from which interface (WAN & LAN) and by which protocol (HTTP, TELNET, SSH, ICMP Ping, etc) can access be gained to the HG612 itself.
-
I'm seeing large numbers of these in my security log:
Nov 2 11:16:13 daemon alert kernel: Intrusion -> TCP packet from [ppp1.1] 14.183.71.58:59561 to <My IP address>:23
The 'from' address varies.
-
Not sure if Im missing something in my settings but I see nothing in my Firewall logs
My Firewall settings are:-
IPv4 Firewall -> Enable
IPv6 Firewall -> Enable
No ACL access rules
DoS Protection Blocking : Enabled
Deny Ping Response : Disabled
Log settings are as attached below.
System logging is working because I see all the usual PPPoE, XDSL, Internet, NTP etc stuff .
However, the only things I do see in my security log are things like "User admin login from 192.168.1.2 successful "
Ive just run a scan at GRC.com which says 'Failed Your system REPLIED to our Ping (ICMP Echo) requests," which is understandable as its meant to be like that.
Everything else bar that was green & showed as in stealth mode.
-
I'm using the VMG8324 in bridge mode, so the security log is in the separate router (a Billion 7800DXL). Sorry if I caused confusion.
-
All quiet for me too, that's a billion 7800 configured to log 'informational' , and zen ISP.
The log shows just two 'kernel intrusion' message, like Eric's, one on 26th and 27th of October.
I wonder if some ISPs might be taking network-side action to contain the Mirai threat? I know that Zen routinely block certain other ports, but not normally 23 or 25, I think that would break too many legitimate uses. ???
-
Zen only block the ports between 135-139 on UDP and TCP
-
Sorry if I caused confusion.
No you didnt cause any :) I'd started to make a post then got distracted by a phone call and hadnt finished the post.
I was attempting to say I dont see anything in my logs and wondered if I'd set up logging incorrectly.
I wonder if some ISPs might be taking network-side action to contain the Mirai threat?
Valid suggestion now you mention it Plusnet do filter what they suspect to be ports used by worms and trojans, but as suggested they too would hardly likely block valid ports such as 23,25 etc
-
I am getting about 600 hits an hour mainly on port 23 few on 22 and some other random ones. :o
-
Today I have had just one probe from Hong Kong and six probes from Colombia (seven in total), all "trying" for TCP port 23.
Here follows my security log, in total, for today. I've just replaced my current IPv4 address with W.X.Y.Z --
Nov 2 16:01:40 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=218.255.138.90 DST=W.X.Y.Z LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=45417 PROTO=TCP SPT=7020 DPT=23 WINDOW=47287 RES=0x00 SYN URGP=0 MARK=0x10000000
Nov 2 16:50:47 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000
Nov 2 16:50:48 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000
Nov 2 16:50:56 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000
Nov 2 16:50:57 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000
Nov 2 16:50:57 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000
Nov 2 16:50:59 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000
-
Clearly, some folks seem to be targeted more than others. I wonder why.
If it's not random, and if it's not attributable to ISPs blocking the attacks, might the villains be targeting ISP address ranges that they consider most vulnerable? For example, ISPs that ship their routers with uPNP enabled by default, or with remote access enabled by default?
Just a thought. ???
-
might the villains be targeting ISP address ranges that they consider most vulnerable? For example, ISPs that ship their routers with uPNP enabled by default, or with remote access enabled by default?
Strong possibility.
They would stand more chance of hitting a target via certain ISPs more than others. Its a fact of life that generally speaking those on the likes of TT, BT are less knowledgeable about technical issues than say someone on Zen, AAISP. I would imagine 'dynamic pools' would be a good target.
I know many years ago when I was on BTinternet I used to get bombarded with scans, then after I went with PN (static IP) I hardly saw any.
Saying that though tickmike is on static IP, so there goes that theory..
I wouldnt be too surprised if the increase is something to do with Mirai which mostly uses port 23. The source is now freely available so as well as the bots, I bet the script kiddies are having a field day playing.
-
Incidentally there's now a Mirai nematode. The legality of it is up for debate, but hey its been done before with Welchia and others.
Interesting discussion in the comments section about getting the ISP's to run it. Plusnet do and have monitored before and no-one complained about they way they did it (see here (http://www.plus.net/virusnotification.html)). As one guy in there says
go for it - Currently getting 40K queries per minute on one server and that's getting a bit tiresome.
http://forums.theregister.co.uk/forum/1/2016/10/31/this_antiworm_patch_bot_could_silence_epic_mirai_ddos_attack_army/
-
@tickmike
I have a set of 8 fixed IP's From my Kcom isp.
Just curiosity, why do you need 8 statics? ARe you running servers?
-
@tickmike
Just curiosity, why do you need 8 statics? ARe you running servers?
Yes ;D
Latest count 14000 to 15000 hits a day. :-\ , is it a 'Smoothwall' log thing that it shows more hits that a modem/router firewall would :hmm:
I put a post on the 'Smoothwall' firewall forum and the guy who first detected 'Mirai' answered and said in the USA they are seeing 500-600 IP Blocks per day for MIRAI , our current count it 3500+ previous to that, we were managing 6000+ blocked MIRAI IPs .
He also put ..
Remember that it is possible for these things to get into wifi connected equipment and spread via wifi to other systems also on wifi... they only know that they are hunting over a network protocol... they don't care if it is wired or radio or even light driven..
-
Incidentally there's now a Mirai nematode. The legality of it is up for debate...
Wonder if I'm the only one who'd never heard of the word 'nematode' before? :-[
Interesting though. I'd have thought the legality concerns could be overcome by inserting appropriate weasel words into some of the arduous T&Cs that we all have to accept, but hardly ever read, and rarely understand. The T&C could be that of the ISPs, or maybe some good samaritan like Google (no giggling), who could then take the action?
-
Gardeners use nematodes for killing slugs, but I guess that isn't what we're talking about here. :)
-
From a fairly inaccurate sample, I'm seeing ~30k of these per day aimed at a potential target window 64 IPv4 dest-addresses wide. Based on a 30 s traffic capture early in the morning. Things might well be hotter in the middle of the day though, so this could be an underestimate for all I know.
Nothing at all on IPv6, that is, aimed at my IPv6 /64 for this LAN. (I have a /48, but I didn't monitor the whole of that.)
If anyone is interested, I'll put the whole traffic capture up (from a .pcap).
-
It might be interesting to do a traffic capture on my 3G iPad NIC which has an Andrews & Arnold / Three SIM in it, because at that rate the junk traffic is going to be costing me a whole ~£0.75 -£1.50 per month.
And it will be eating my battery, wasting CPU time and eating up RAM too, especially if there's no software firewall on the iPad. (Don't really want connect ack response packets going back out, nor useless TCP connection objects being created until all the RAM is eaten up. I have to pay for upstream too, so useless outbound packets are doubly bad.)
If there were a configurable firewall in Apple iOS then I could at least immediately drop inbound TCP dest_port=23 and so not even create any firewall session object, in order to cut the RAM consumption to zero.
-
Based on a 30 s traffic capture early in the morning.
Are you capturing this on the Firebrick? I'm struggling to fathom out how to enable. :help:
-
Btw, I was talking rubbish earlier when I wrote about a quiet time of day - whose time zone?
A second traffic capture this afternoon recorded 7 such events over a 30 s period, during which there was a fair bit of normal network going on. So there’s clearly a good bit of variance and who's to say when the busier times might be. Any statistical figures have to be very approximate anyway.
-
To get the traffic captures, I used the Andrews & Arnold traffic capture feature that can be triggered on their routers. I set it to capture all PPP traffic (not just IP) going to and from my main LAN. You can do this by going to the clueless.aa.net.uk web server. (They're now wanting us to call that web server 'control.aa.net.uk', which provides the control panel UI, but I prefer the traditional not-tooo-sensible name.)
Firewall:
I looked at my firewall-router’s firewall state (the firewall-router is a Firebrick) to see a list of blocking ('drop') session objects it had created, but that doesn't give me any counts of events, I can just see source IP addresses.
I'm not sure that the firewall can do logging of this type, which might constitute a denial-of-service opportunity in itself with the amount of CPU time it would take up at high traffic rates.
-
The answer seems to be then to just junk IPv4, and problem solved.
-
Thanks. Would that be the "Traffic Dump" button on the line info and diag section?
-
"Traffic Dump" button, indeed. Takes you to another page where there is a decode option, which is what I used, and an option to download the results in a file.
-
I also checked my 3G iPad, which just has a single global public IPv4 address. I only saw three incoming TCP dest_port = 23 events in a 30 s capture period. So although it might seem pretty quiet, you would expect this given that the destination IP address range window is 64 times narrower that with the earlier DSL-to-whole-LAN tests, and in fact you could say that it's much much worse per dest-IP.
Unfortunately the iPad is replying to these incoming packets. This has to be a bad thing, although at least it might be stopping further inbound retransmissions.
-
"Traffic Dump" button, indeed.
Thanks for your help. :)