Kitz Forum

Computer Software => Security => Topic started by: tickmike on October 31, 2016, 09:22:50 PM

Title: Have You Checked Your Firewall Logs Lately ?.
Post by: tickmike on October 31, 2016, 09:22:50 PM
Have You Checked Your Firewall Logs Lately ?.

I am seeing in my Hardware Firewall (Smoothwall ) hundreds/ thousands of hits on Port 23(TELNET)
I have page after page of logs that show the hits are getting more and more each day.    :'(

This is the MIRAI and its variants (MEMES being one of those) Malware.

http://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/

http://www.theregister.co.uk/2016/10/31/iot_botnet_wannabe/

My firewall is working overtime but doing a good job.  :)

Anyone else seeing anything ?.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: skyeci on October 31, 2016, 09:37:37 PM
My pfsense box is getting hit masses today on port 23 from
116.101.49.194 all the way from hanoi...
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: burakkucat on October 31, 2016, 09:43:12 PM
Yes, I am also seeing regular attempted probes of port 23.  >:(

In fact my security log has had quite a significant increase in entries over the last month (or so).

Brazil, North Korea, Vietnam, South Korea, Germany, Lithuania, Romania, Uncle Sam, China, Russia . . . and so the list goes on.

The only countries I haven't detected as the origin of probes are Wales, Scotland, Ireland and England.  :)
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: niemand on October 31, 2016, 10:01:32 PM
Nope. The SNR on such things is really low.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: tickmike on November 01, 2016, 12:30:36 AM
re, 'In fact my security log has had quite a significant increase in entries over the last month (or so).' yes same with me >:D

Also probing port 25(SMTP)  :o

Accessing my HG612 from my LAN on 23 is still ok is it ?.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: burakkucat on November 01, 2016, 01:20:34 AM
Accessing my HG612 from my LAN on 23 is still ok is it ?.

Yes, assuming you have configured the HG612 at Advanced ---> Firewall to set the ACL as per the Kitz wiki article (http://wiki.kitz.co.uk/index.php/Huawei_HG612_-_Routing/Firewall).
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Weaver on November 01, 2016, 06:24:54 AM
I'm getting several inbound IPv4 TCP dest-port=23 packets per second, addressed to various seemingly random destination IPs within my LAN range. I'm not seeing destination address range scans from a single source IP, nor any destination port range scans, there just seems to be no pattern. All TCP packets, no UDP much, and no IPv6. Various countries, and port 23 dominates. I saw five such packets in one second during a 30 s packet capture.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: tickmike on November 01, 2016, 10:39:10 AM
Yes, assuming you have configured the HG612 at Advanced ---> Firewall to set the ACL as per the Kitz wiki article (http://wiki.kitz.co.uk/index.php/Huawei_HG612_-_Routing/Firewall).

Remember I use a 'smoothwall' box as my firewall after the modem, so my HG612 firewall is set to 'Disable'  :-\
I do not want to double NAT !.
What's ACL ?.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: d2d4j on November 01, 2016, 11:23:37 AM
Hi tickmike

ACL is access control list

I'm sorry, I think you have misunderstood, you are NOT double nat, you are just running another firewall upstream to your smoothwall.

However, I am not sure if it's proven that access could be made from your external IP to the hg612 directly.

Also, please remember a lot of these probes are made from bots, so can change the IP address identity

Many thanks

John
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Weaver on November 01, 2016, 03:31:16 PM
An ACL is a list of access control entries. Each entry in the list will be a pair of a ‘who’ - something like a user or an address-range - who the entry applies to, followed by rules concerning things that are allowed or forbidden, or else levels of access permitted or some such. An ACL will apply to some object or other. In a file system, an ACL for a file might specify who is allowed to do what to that particular file. In a firewall, ACLs might specify the rules to be applied when certain types of packets are seen heading in one direction or another, with match conditions concerning source or destination addresses, ports and protocol types, and the ACL conditions might be checked at a particular interface.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: burakkucat on November 01, 2016, 04:50:20 PM
I'm getting several inbound IPv4 TCP dest-port=23 packets per second, addressed to various seemingly random destination IPs within my LAN range. I'm not seeing destination address range scans from a single source IP, nor any destination port range scans, there just seems to be no pattern. All TCP packets, no UDP much, and no IPv6. Various countries, and port 23 dominates. I saw five such packets in one second during a 30 s packet capture.

Yes, that reads as familiar.  :-X
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: burakkucat on November 01, 2016, 05:01:12 PM
Remember I use a 'smoothwall' box as my firewall after the modem, so my HG612 firewall is set to 'Disable'  :-\

The ACL (already defined by fellow Kitizens, above) for the HG612 is tucked away under the Advanced ---> Firewall setting. The ACL allows rules as to from which interface (WAN & LAN) and by which protocol (HTTP, TELNET, SSH, ICMP Ping, etc) can access be gained to the HG612 itself.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: roseway on November 02, 2016, 11:23:50 AM
I'm seeing large numbers of these in my security log:

Quote
Nov  2 11:16:13 daemon alert kernel: Intrusion ->  TCP packet from [ppp1.1] 14.183.71.58:59561 to <My IP address>:23

The 'from' address varies.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: kitz on November 02, 2016, 11:41:31 AM
Not sure if Im missing something in my settings but I see nothing in my Firewall logs

My Firewall settings are:-
 IPv4 Firewall -> Enable
 IPv6 Firewall -> Enable
 No ACL access rules
 DoS Protection Blocking : Enabled
 Deny Ping Response : Disabled

Log settings are as attached below.

System logging is working because I see all the usual PPPoE, XDSL, Internet, NTP etc stuff .
However, the only things I do see in my security log are things like "User admin login from 192.168.1.2 successful "

Ive just run a scan at GRC.com which says 'Failed Your system REPLIED to our Ping (ICMP Echo) requests,"  which is understandable as its meant to be like that.
Everything else bar that was green & showed as in stealth mode.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: roseway on November 02, 2016, 11:54:18 AM
I'm using the VMG8324 in bridge mode, so the security log is in the separate router (a Billion 7800DXL). Sorry if I caused confusion.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: sevenlayermuddle on November 02, 2016, 11:59:45 AM
All quiet for me too, that's a billion 7800 configured to log 'informational' , and zen ISP.

The log shows just two 'kernel intrusion' message, like Eric's, one on 26th and 27th of October.

I wonder if some ISPs might be taking network-side action to contain the Mirai threat?   I know that Zen routinely block certain other ports, but not normally  23 or 25, I think that would break too many legitimate uses. ???
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Dray on November 02, 2016, 12:04:41 PM
Zen only block the ports between 135-139 on UDP and TCP
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: kitz on November 02, 2016, 01:15:09 PM
Sorry if I caused confusion.

No you didnt cause any :)   I'd started to make a post then got distracted by a phone call and hadnt finished the post. 
I was attempting to say I dont see anything in my logs and wondered if I'd set up logging incorrectly.

Quote
I wonder if some ISPs might be taking network-side action to contain the Mirai threat?

Valid suggestion now you mention it Plusnet do filter what they suspect to be ports used by worms and trojans, but as suggested they too would hardly likely block valid ports such as 23,25 etc

Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: tickmike on November 02, 2016, 10:51:41 PM
I am getting about 600 hits an hour mainly on port 23 few on 22 and some other random ones. :o
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: burakkucat on November 02, 2016, 11:20:02 PM
Today I have had just one probe from Hong Kong and six probes from Colombia (seven in total), all "trying" for TCP port 23.

Here follows my security log, in total, for today. I've just replaced my current IPv4 address with W.X.Y.Z --

Code: [Select]
Nov  2 16:01:40 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=218.255.138.90 DST=W.X.Y.Z LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=45417 PROTO=TCP SPT=7020 DPT=23 WINDOW=47287 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:47 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:48 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:56 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:57 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:57 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000

Nov  2 16:50:59 kern.alert kernel: IN=pppoa1 OUT= MAC= SRC=190.145.49.22 DST=W.X.Y.Z LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=59098 PROTO=TCP SPT=35429 DPT=23 WINDOW=22841 RES=0x00 SYN URGP=0 MARK=0x10000000
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: sevenlayermuddle on November 03, 2016, 12:12:31 AM
Clearly, some folks seem to be targeted more than others.   I wonder why.

If it's not random, and if it's not attributable to ISPs blocking the attacks, might the villains be targeting ISP address ranges that they consider most vulnerable?  For example, ISPs that ship their routers with uPNP enabled by default, or with remote access enabled by default?

Just a thought. ???
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: kitz on November 03, 2016, 01:10:51 AM
might the villains be targeting ISP address ranges that they consider most vulnerable?  For example, ISPs that ship their routers with uPNP enabled by default, or with remote access enabled by default?


Strong possibility.

They would stand more chance of hitting a target via certain ISPs more than others.  Its a fact of life that generally speaking those on the likes of TT, BT are less knowledgeable about technical issues than say someone on Zen, AAISP.  I would imagine 'dynamic pools' would be a good target.

I know many years ago when I was on BTinternet I used to get bombarded with scans, then after I went with PN (static IP) I hardly saw any.

Saying that though tickmike is on static IP, so there goes that theory.. 

I wouldnt be too surprised if the increase is something to do with Mirai which mostly uses port 23.  The source is now freely available so as well as the bots,  I bet the script kiddies are having a field day playing.

Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: kitz on November 03, 2016, 01:12:29 AM
Incidentally there's now a Mirai nematode. The legality of it is up for debate, but hey its been done before with Welchia and others.
 
Interesting discussion in the comments section about getting the ISP's to run it. Plusnet do and have monitored before and no-one complained about they way they did it (see here (http://www.plus.net/virusnotification.html)).  As one guy in there says

Quote
go for it - Currently getting 40K queries per minute on one server and that's getting a bit tiresome.

http://forums.theregister.co.uk/forum/1/2016/10/31/this_antiworm_patch_bot_could_silence_epic_mirai_ddos_attack_army/
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: kitz on November 03, 2016, 01:13:40 AM
@tickmike

Quote
I have a set of 8 fixed IP's From my Kcom isp.

Just curiosity, why do you need 8 statics? ARe you running servers?
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: tickmike on November 03, 2016, 10:39:11 AM
@tickmike

Just curiosity, why do you need 8 statics? ARe you running servers?

Yes  ;D

Latest count 14000 to 15000 hits a day.  :-\  , is it a 'Smoothwall' log thing that it shows more hits that a modem/router firewall would  :hmm:

I put a post on the 'Smoothwall' firewall forum and the guy who first detected 'Mirai' answered and said in the USA they are seeing  500-600 IP Blocks per day for MIRAI , our current count it 3500+ previous to that, we were managing 6000+ blocked MIRAI IPs .
He also put ..
Remember that it is possible for these things to get into wifi connected equipment and spread via wifi to other systems also on wifi... they only know that they are hunting over a network protocol... they don't care if it is wired or radio or even light driven..
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: sevenlayermuddle on November 03, 2016, 02:11:52 PM
Incidentally there's now a Mirai nematode. The legality of it is up for debate...

Wonder if I'm the only one who'd never heard of the word 'nematode' before?   :-[

Interesting though.   I'd have thought the legality concerns could be overcome by inserting appropriate weasel words into some of the arduous T&Cs that we all have to accept, but hardly ever read, and rarely understand.  The T&C could be that of the ISPs, or maybe some good samaritan like Google (no giggling), who could then take the action?
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: roseway on November 03, 2016, 03:20:23 PM
Gardeners use nematodes for killing slugs, but I guess that isn't what we're talking about here. :)
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Weaver on November 03, 2016, 05:00:38 PM
From a fairly inaccurate sample, I'm seeing ~30k of these per day aimed at a potential target window 64 IPv4 dest-addresses wide. Based on a 30 s traffic capture early in the morning. Things might well be hotter in the middle of the day though, so this could be an underestimate for all I know.

Nothing at all on IPv6, that is, aimed at my IPv6 /64 for this LAN. (I have a /48, but I didn't monitor the whole of that.)

If anyone is interested, I'll put the whole traffic capture up (from a .pcap).
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Weaver on November 03, 2016, 05:33:27 PM
It might be interesting to do a traffic capture on my 3G iPad NIC which has an Andrews & Arnold / Three SIM in it, because at that rate the junk traffic is going to be costing me a whole ~£0.75 -£1.50 per month.

And it will be eating my battery, wasting CPU time and eating up RAM too, especially if there's no software firewall on the iPad. (Don't really want connect ack response packets going back out, nor useless TCP connection objects being created until all the RAM is eaten up. I have to pay for upstream too, so useless outbound packets are doubly bad.)

If there were a configurable firewall in Apple iOS then I could at least immediately drop inbound TCP dest_port=23 and so not even create any firewall session object, in order to cut the RAM consumption to zero.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: vic0239 on November 03, 2016, 06:07:24 PM
Based on a 30 s traffic capture early in the morning.
Are you capturing this on the Firebrick? I'm struggling to fathom out how to enable.  :help:
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Weaver on November 03, 2016, 06:19:03 PM
Btw, I was talking rubbish earlier when I wrote about a quiet time of day - whose time zone?

A second traffic capture this afternoon recorded 7 such events over a 30 s period, during which there was a fair bit of normal network going on. So there’s clearly a good bit of variance and who's to say when the busier times might be. Any statistical figures have to be very approximate anyway.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Weaver on November 03, 2016, 06:30:35 PM
To get the traffic captures, I used the Andrews & Arnold traffic capture feature that can be triggered on their routers. I set it to capture all PPP traffic (not just IP) going to and from my main LAN. You can do this by going to the clueless.aa.net.uk web server. (They're now wanting us to call that web server 'control.aa.net.uk', which provides the control panel UI, but I prefer the traditional not-tooo-sensible name.)

Firewall:

I looked at my firewall-router’s firewall state (the firewall-router is a Firebrick) to see a list of blocking ('drop') session objects it had created, but that doesn't give me any counts of events, I can just see source IP addresses.

I'm not sure that the firewall can do logging of this type, which might constitute a denial-of-service opportunity in itself with the amount of CPU time it would take up at high traffic rates.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Weaver on November 03, 2016, 06:31:57 PM
The answer seems to be then to just junk IPv4, and problem solved.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: vic0239 on November 03, 2016, 10:07:33 PM
Thanks. Would that be the "Traffic Dump" button on the line info and diag section?
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Weaver on November 03, 2016, 10:24:31 PM
"Traffic Dump" button, indeed. Takes you to another page where there is a decode option, which is what I used, and an option to download the results in a file.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: Weaver on November 04, 2016, 12:46:23 AM
I also checked my 3G iPad, which just has a single global public IPv4 address. I only saw three incoming TCP dest_port = 23 events in a 30 s capture period. So although it might seem pretty quiet, you would expect this given that the destination IP address range window is 64 times narrower that with the earlier DSL-to-whole-LAN tests, and in fact you could say that it's much much worse per dest-IP.

Unfortunately the iPad is replying to these incoming packets. This has to be a bad thing, although at least it might be stopping further inbound retransmissions.
Title: Re: Have You Checked Your Firewall Logs Lately ?.
Post by: vic0239 on November 04, 2016, 09:03:49 AM
"Traffic Dump" button, indeed.
Thanks for your help.  :)