telnet and ftp attempts = hack attempts?
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: telnet and ftp attempts = hack attempts?

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    11

    Question telnet and ftp attempts = hack attempts?

    You'll have to forgive me for being a relative newbie to the firewall monitoring/managing scene. We're running a Watchguard Firebox 1000. I've been noticing several telnet (port 23), FTP (port 21), and SUN Remote Procedure Call (port 111) conenct attempts being blocked by the firewall. Am I wrong to assume that these connect attempts are indeed hacker (cracker, or script kidde) probes?
    -Will Tyler
    -wct097@yahoo.com

  2. #2
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Well, if you're getting outside attempts to the firewall and you don't recognize them as part of your network, then that's a first indication that they're probably not friends. It could be an accidental connection, or more likely, a port scan. I would definitely dump telnet connections anyway, and go with ssh for encrypted traffic, use a good ftp daemon if you have to, like ProFTP, and make sure your rpc is updated to the latest (rpc's always had problems).

    Hope this helps (in a hurry at work). Let me know if you need anymore help and I'll see what I can do.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  3. #3
    Junior Member
    Join Date
    Jan 2002
    Posts
    11
    Well, after tracing several IP's back to Tokyo Japan, Hamburg Germany, Paris France, and University of Bonn in Germany.... I highly doubt they have any legit reason for connecting to us. The firewall did block their attempts. I don't let anything but web traffic and smtp in. I'm just monitoring the denied attempts.

    FWIW, I even deny ping. I might change that though, seems lots of pings show up denied in my logs.

    Edit: And since I'm running an AS400, sun remote procedure calls don't do much, even if the port was open.
    -Will Tyler
    -wct097@yahoo.com

  4. #4
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193

    Red face

    I agree with Vorlin - you are most likely being "probed" at the very least. You may wish to consider short logging on the traffic types you see most of if you have disk space concerns.
    Often, after you see a certain kind of probe for a period of time it may not need full logging since you know about it.

    Be sure to check what you have open and to what host it is allowed to.

    Trappedagainbyperfectlogic.

  5. #5
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Originally posted by wct097
    Well, after tracing several IP's back to Tokyo Japan, Hamburg Germany, Paris France, and University of Bonn in Germany.... I highly doubt they have any legit reason for connecting to us. The firewall did block their attempts. I don't let anything but web traffic and smtp in. I'm just monitoring the denied attempts.

    FWIW, I even deny ping. I might change that though, seems lots of pings show up denied in my logs.

    If all of those connect attempts are coming from the same few IP's, then it's fairly safe to assume that you are being probed or someone is trying to attack your network. Since you are only allowing SMTP and HTTP services (I believe Watchguard calls them proxies), then those others definately sound like bad guys. The Firebox does a pretty good job as far as keeping your network fairly secure. Of course, no solution or combination of solutions could ever claim 100% effectiveness.

    I would not allow ping attempts at your Firebox - someone randomly pinging IPs might stumble across your IP address and decide to probe further - if you keep denying Incoming pings then it looks as if you aren't there.

    I would keep an eye on it in the future - if they continue, you should probably contact their ISP and see if you have any luck from that standpoint. I guess that will depend on how responsive the ISP is (I bet some of us could tell some horror stories about ISP's!). Anyway, good question.
    - Maverick

  6. #6
    Junior Member
    Join Date
    Jan 2002
    Posts
    11

    Arrow The latest...

    01/24/02 15:08 firewalld[78]: deny in eth0 48 tcp 20 112 213.20.228.176 <my router's IP> 3447 21 syn (FTP)

    Lookup 213.20.228.176 - port-213-20-228-176.reverse.qdsl-home.de

    TraceRt goes through Mediaways.Frankfurt1.de.alter.net

    It seems that all of these connect attempts come through alter.net. I'm guessing that Alter.net is some sort of backbone connecting major networks.
    -Will Tyler
    -wct097@yahoo.com

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    it's probably some one with a port scanner checking a range of ip addresses to see if anyone has that port open. nothing you can do about it. as long as that port dosn't show open it'll move on to the next ip number and you don't have anything to worry about. if you find a number of ports probed from the same address, then its time to take it personnally.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Originally posted by Tedob1
    it's probably some one with a port scanner checking a range of ip addresses to see if anyone has that port open. nothing you can do about it. as long as that port dosn't show open it'll move on to the next ip number and you don't have anything to worry about. if you find a number of ports probed from the same address, then its time to take it personnally.
    Agreed - if your Firebox is stopping those attempts, you are okay. I noticed that your FTP service (proxy) is stopping those attempts. I believe the way the Firebox works is if there is not a service or proxy explicitly enabling or denying connections, then all connection attempts are denied. Does anyone know more on this? What other proxies are you running on the Firebox?

    Anyhow - I'll say it again, just keep an eye on it, no need to panic yet.

    Hope we've helped...
    - Maverick

  9. #9
    Junior Member
    Join Date
    Jan 2002
    Posts
    11

    Arrow

    The only services I am allowing in are HTTP, SMTP, and Lotus Notes.

    I allow out AOL, DNS, finger, FTP, HTTP, HTTPS, ping, Realplayer, SMTP, telnet, and whois.

    I log incoming Lotus Notes and HTTP. SMTP is logged through our mail server, so I leave it off of the firewall logs.

    EDIT: And yes, you've been a great help. And no, I'm not panicing over the probes. I paniced when I figured out I could telnet in from home (the consultants left telnet open!!), but not now.
    -Will Tyler
    -wct097@yahoo.com

  10. #10
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    since i just got my firebox 700 this week i can't say i'm an expert but why don't ya just block the alter.net host range...or if that's a little drastic...you can setup an autoblock rule which can kick in after a certain number of probes...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •