-
January 24th, 2002, 07:31 PM
#1
Junior Member
telnet and ftp attempts = hack attempts?
You'll have to forgive me for being a relative newbie to the firewall monitoring/managing scene. We're running a Watchguard Firebox 1000. I've been noticing several telnet (port 23), FTP (port 21), and SUN Remote Procedure Call (port 111) conenct attempts being blocked by the firewall. Am I wrong to assume that these connect attempts are indeed hacker (cracker, or script kidde) probes?
-Will Tyler
-wct097@yahoo.com
-
January 24th, 2002, 07:58 PM
#2
Well, if you're getting outside attempts to the firewall and you don't recognize them as part of your network, then that's a first indication that they're probably not friends. It could be an accidental connection, or more likely, a port scan. I would definitely dump telnet connections anyway, and go with ssh for encrypted traffic, use a good ftp daemon if you have to, like ProFTP, and make sure your rpc is updated to the latest (rpc's always had problems).
Hope this helps (in a hurry at work). Let me know if you need anymore help and I'll see what I can do.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
January 24th, 2002, 08:17 PM
#3
Junior Member
Well, after tracing several IP's back to Tokyo Japan, Hamburg Germany, Paris France, and University of Bonn in Germany.... I highly doubt they have any legit reason for connecting to us. The firewall did block their attempts. I don't let anything but web traffic and smtp in. I'm just monitoring the denied attempts.
FWIW, I even deny ping. I might change that though, seems lots of pings show up denied in my logs.
Edit: And since I'm running an AS400, sun remote procedure calls don't do much, even if the port was open.
-Will Tyler
-wct097@yahoo.com
-
January 24th, 2002, 08:34 PM
#4
I agree with Vorlin - you are most likely being "probed" at the very least. You may wish to consider short logging on the traffic types you see most of if you have disk space concerns.
Often, after you see a certain kind of probe for a period of time it may not need full logging since you know about it.
Be sure to check what you have open and to what host it is allowed to.
Trappedagainbyperfectlogic.
-
January 24th, 2002, 08:53 PM
#5
Originally posted by wct097
Well, after tracing several IP's back to Tokyo Japan, Hamburg Germany, Paris France, and University of Bonn in Germany.... I highly doubt they have any legit reason for connecting to us. The firewall did block their attempts. I don't let anything but web traffic and smtp in. I'm just monitoring the denied attempts.
FWIW, I even deny ping. I might change that though, seems lots of pings show up denied in my logs.
If all of those connect attempts are coming from the same few IP's, then it's fairly safe to assume that you are being probed or someone is trying to attack your network. Since you are only allowing SMTP and HTTP services (I believe Watchguard calls them proxies), then those others definately sound like bad guys. The Firebox does a pretty good job as far as keeping your network fairly secure. Of course, no solution or combination of solutions could ever claim 100% effectiveness.
I would not allow ping attempts at your Firebox - someone randomly pinging IPs might stumble across your IP address and decide to probe further - if you keep denying Incoming pings then it looks as if you aren't there.
I would keep an eye on it in the future - if they continue, you should probably contact their ISP and see if you have any luck from that standpoint. I guess that will depend on how responsive the ISP is (I bet some of us could tell some horror stories about ISP's!). Anyway, good question.
-
January 24th, 2002, 09:24 PM
#6
Junior Member
The latest...
01/24/02 15:08 firewalld[78]: deny in eth0 48 tcp 20 112 213.20.228.176 <my router's IP> 3447 21 syn (FTP)
Lookup 213.20.228.176 - port-213-20-228-176.reverse.qdsl-home.de
TraceRt goes through Mediaways.Frankfurt1.de.alter.net
It seems that all of these connect attempts come through alter.net. I'm guessing that Alter.net is some sort of backbone connecting major networks.
-Will Tyler
-wct097@yahoo.com
-
January 24th, 2002, 09:44 PM
#7
it's probably some one with a port scanner checking a range of ip addresses to see if anyone has that port open. nothing you can do about it. as long as that port dosn't show open it'll move on to the next ip number and you don't have anything to worry about. if you find a number of ports probed from the same address, then its time to take it personnally.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
January 24th, 2002, 10:12 PM
#8
Originally posted by Tedob1
it's probably some one with a port scanner checking a range of ip addresses to see if anyone has that port open. nothing you can do about it. as long as that port dosn't show open it'll move on to the next ip number and you don't have anything to worry about. if you find a number of ports probed from the same address, then its time to take it personnally.
Agreed - if your Firebox is stopping those attempts, you are okay. I noticed that your FTP service (proxy) is stopping those attempts. I believe the way the Firebox works is if there is not a service or proxy explicitly enabling or denying connections, then all connection attempts are denied. Does anyone know more on this? What other proxies are you running on the Firebox?
Anyhow - I'll say it again, just keep an eye on it, no need to panic yet.
Hope we've helped...
-
January 24th, 2002, 10:25 PM
#9
Junior Member
The only services I am allowing in are HTTP, SMTP, and Lotus Notes.
I allow out AOL, DNS, finger, FTP, HTTP, HTTPS, ping, Realplayer, SMTP, telnet, and whois.
I log incoming Lotus Notes and HTTP. SMTP is logged through our mail server, so I leave it off of the firewall logs.
EDIT: And yes, you've been a great help. And no, I'm not panicing over the probes. I paniced when I figured out I could telnet in from home (the consultants left telnet open!!), but not now.
-Will Tyler
-wct097@yahoo.com
-
January 24th, 2002, 10:29 PM
#10
since i just got my firebox 700 this week i can't say i'm an expert but why don't ya just block the alter.net host range...or if that's a little drastic...you can setup an autoblock rule which can kick in after a certain number of probes...
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|