You'll have to forgive me for being a relative newbie to the firewall monitoring/managing scene. We're running a Watchguard Firebox 1000. I've been noticing several telnet (port 23), FTP (port 21), and SUN Remote Procedure Call (port 111) conenct attempts being blocked by the firewall. Am I wrong to assume that these connect attempts are indeed hacker (cracker, or script kidde) probes?

Well, if you're getting outside attempts to the firewall and you don't recognize them as part of your network, then that's a first indication that they're probably not friends. It could be an accidental connection, or more likely, a port scan. I would definitely dump telnet connections anyway, and go with ssh for encrypted traffic, use a good ftp daemon if you have to, like ProFTP, and make sure your rpc is updated to the latest (rpc's always had problems).

Hope this helps (in a hurry at work). Let me know if you need anymore help and I'll see what I can do.

Well, after tracing several IP's back to Tokyo Japan, Hamburg Germany, Paris France, and University of Bonn in Germany.... I highly doubt they have any legit reason for connecting to us. The firewall did block their attempts. I don't let anything but web traffic and smtp in. I'm just monitoring the denied attempts.

FWIW, I even deny ping. I might change that though, seems lots of pings show up denied in my logs.

Edit: And since I'm running an AS400, sun remote procedure calls don't do much, even if the port was open.

I agree with Vorlin - you are most likely being "probed" at the very least. You may wish to consider short logging on the traffic types you see most of if you have disk space concerns.
Often, after you see a certain kind of probe for a period of time it may not need full logging since you know about it.

Be sure to check what you have open and to what host it is allowed to.

:)

Originally posted by wct097
Well, after tracing several IP's back to Tokyo Japan, Hamburg Germany, Paris France, and University of Bonn in Germany.... I highly doubt they have any legit reason for connecting to us. The firewall did block their attempts. I don't let anything but web traffic and smtp in. I'm just monitoring the denied attempts.

FWIW, I even deny ping. I might change that though, seems lots of pings show up denied in my logs.



If all of those connect attempts are coming from the same few IP's, then it's fairly safe to assume that you are being probed or someone is trying to attack your network. Since you are only allowing SMTP and HTTP services (I believe Watchguard calls them proxies), then those others definately sound like bad guys. The Firebox does a pretty good job as far as keeping your network fairly secure. Of course, no solution or combination of solutions could ever claim 100% effectiveness.

I would not allow ping attempts at your Firebox - someone randomly pinging IPs might stumble across your IP address and decide to probe further - if you keep denying Incoming pings then it looks as if you aren't there.

I would keep an eye on it in the future - if they continue, you should probably contact their ISP and see if you have any luck from that standpoint. I guess that will depend on how responsive the ISP is (I bet some of us could tell some horror stories about ISP's!). Anyway, good question.

01/24/02 15:08 firewalld[78]: deny in eth0 48 tcp 20 112 213.20.228.176 <my router's IP> 3447 21 syn (FTP)

Lookup 213.20.228.176 - port-213-20-228-176.reverse.qdsl-home.de

TraceRt goes through Mediaways.Frankfurt1.de.alter.net

It seems that all of these connect attempts come through alter.net. I'm guessing that Alter.net is some sort of backbone connecting major networks.

it's probably some one with a port scanner checking a range of ip addresses to see if anyone has that port open. nothing you can do about it. as long as that port dosn't show open it'll move on to the next ip number and you don't have anything to worry about. if you find a number of ports probed from the same address, then its time to take it personnally.

Originally posted by Tedob1
it's probably some one with a port scanner checking a range of ip addresses to see if anyone has that port open. nothing you can do about it. as long as that port dosn't show open it'll move on to the next ip number and you don't have anything to worry about. if you find a number of ports probed from the same address, then its time to take it personnally.

Agreed - if your Firebox is stopping those attempts, you are okay. I noticed that your FTP service (proxy) is stopping those attempts. I believe the way the Firebox works is if there is not a service or proxy explicitly enabling or denying connections, then all connection attempts are denied. Does anyone know more on this? What other proxies are you running on the Firebox?

Anyhow - I'll say it again, just keep an eye on it, no need to panic yet.

Hope we've helped...

The only services I am allowing in are HTTP, SMTP, and Lotus Notes.

I allow out AOL, DNS, finger, FTP, HTTP, HTTPS, ping, Realplayer, SMTP, telnet, and whois.

I log incoming Lotus Notes and HTTP. SMTP is logged through our mail server, so I leave it off of the firewall logs.

EDIT: And yes, you've been a great help. And no, I'm not panicing over the probes. I paniced when I figured out I could telnet in from home (the consultants left telnet open!!), but not now.

since i just got my firebox 700 this week i can't say i'm an expert:D but why don't ya just block the alter.net host range...or if that's a little drastic...you can setup an autoblock rule which can kick in after a certain number of probes...

I can't block alter.net because it's just on the route, not the actual destination. I may do the auto-block. Does auto-block keep a list of blocked sites somewhere that I can access/modify? Is auto-block temporary or permanant?

Thanks,

as i said...i just got my box ...but reading from the manual pg 85 (you do have a manual right...hinthint...rtfm...:rolleyes: )

"Auto Blocked sites - which are sitres the firebox adds or deletes dynamically based on default packet handling rules and service-by-service rules for denied packets. Sites are temporarily blocked until the autoblocking mechanism times out "

(timeout can be set up to 22 days i think)

"Fire box autoblock and logging mechanisms can help you decide what sites to block. For example, when you find a site that spoofs your network, you can add the offending sites ip to the list of permanently blocked sites."

Actually, I don't have the manual handy. Our consultants swiped it haven't mailed it back to me yet. I went ahead and auto-blocked sites that try to connect in suspicious ways. I have my Fireboax logging incomming (allowed) http as well. Funny to watch an someone hit the website, try to FTP, then can't hit our website a minute later. I bet it confuses the hell outta them.

I've been keeping track of suspicious hits on the firewall. I noticed one log message that occured three nights in a row. IP 198.36.205.2, port 137. Three entries each night between 1:30 and 2:00. I might just block this IP completely.

Alter.Net is a backbone provider across the Atlantic and the majority of ISP's on the East Coast USA use them.

198.36.205.2 >> Risdall Advertizing (NETBLK-USW-RISDELLADVERTISE) , Class C network (198.36.205.0 - 198.36.205.255),

_ 198.36.205.1 : HTTP server installed (Microsoft IIS 5.0)
_ 198.36.205.1 : FTP server installed (Squid/2.4.STABLE2)
_ 198.36.205.1 : anonymous FTP connection refused

(198.36.205.1 - www.risdall.com)
It seems that their small network has only Windows worstations.
They are possibly having some bugs in their old accounting sofware (or other automatic report-making soft) which (probbably ;) ) use NetBIOS to exchange data within LAN. So log all incoming packets, don't filter them, that could be interesting (let that host establish NetBIOS connection and transfer (faked) data if any - i.e. let them transfer something if they want).

AIDeveloper.