telnet and ftp attempts = hack attempts?

[wct097]

You'll have to forgive me for being a relative newbie to the firewall monitoring/managing scene. We're running a Watchguard Firebox 1000. I've been noticing several telnet (port 23), FTP (port 21), and SUN Remote Procedure Call (port 111) conenct attempts being blocked by the firewall. Am I wrong to assume that these connect attempts are indeed hacker (cracker, or script kidde) probes?

[Vorlin]

Well, if you're getting outside attempts to the firewall and you don't recognize them as part of your network, then that's a first indication that they're probably not friends. It could be an accidental connection, or more likely, a port scan. I would definitely dump telnet connections anyway, and go with ssh for encrypted traffic, use a good ftp daemon if you have to, like ProFTP, and make sure your rpc is updated to the latest (rpc's always had problems).

Hope this helps (in a hurry at work). Let me know if you need anymore help and I'll see what I can do.

[wct097]

Well, after tracing several IP's back to Tokyo Japan, Hamburg Germany, Paris France, and University of Bonn in Germany.... I highly doubt they have any legit reason for connecting to us. The firewall did block their attempts. I don't let anything but web traffic and smtp in. I'm just monitoring the denied attempts.

FWIW, I even deny ping. I might change that though, seems lots of pings show up denied in my logs.

Edit: And since I'm running an AS400, sun remote procedure calls don't do much, even if the port was open.

[gold eagle]

I agree with Vorlin - you are most likely being "probed" at the very least. You may wish to consider short logging on the traffic types you see most of if you have disk space concerns.
Often, after you see a certain kind of probe for a period of time it may not need full logging since you know about it.

Be sure to check what you have open and to what host it is allowed to.

[Maverick811]

Originally posted by wct097
Well, after tracing several IP's back to Tokyo Japan, Hamburg Germany, Paris France, and University of Bonn in Germany.... I highly doubt they have any legit reason for connecting to us. The firewall did block their attempts. I don't let anything but web traffic and smtp in. I'm just monitoring the denied attempts.

FWIW, I even deny ping. I might change that though, seems lots of pings show up denied in my logs.

If all of those connect attempts are coming from the same few IP's, then it's fairly safe to assume that you are being probed or someone is trying to attack your network. Since you are only allowing SMTP and HTTP services (I believe Watchguard calls them proxies), then those others definately sound like bad guys. The Firebox does a pretty good job as far as keeping your network fairly secure. Of course, no solution or combination of solutions could ever claim 100% effectiveness.

I would not allow ping attempts at your Firebox - someone randomly pinging IPs might stumble across your IP address and decide to probe further - if you keep denying Incoming pings then it looks as if you aren't there.

I would keep an eye on it in the future - if they continue, you should probably contact their ISP and see if you have any luck from that standpoint. I guess that will depend on how responsive the ISP is (I bet some of us could tell some horror stories about ISP's!). Anyway, good question.

[wct097]

01/24/02 15:08 firewalld[78]: deny in eth0 48 tcp 20 112 213.20.228.176 <my router's IP> 3447 21 syn (FTP)

Lookup 213.20.228.176 - port-213-20-228-176.reverse.qdsl-home.de

TraceRt goes through Mediaways.Frankfurt1.de.alter.net

It seems that all of these connect attempts come through alter.net. I'm guessing that Alter.net is some sort of backbone connecting major networks.

[Tedob1]

it's probably some one with a port scanner checking a range of ip addresses to see if anyone has that port open. nothing you can do about it. as long as that port dosn't show open it'll move on to the next ip number and you don't have anything to worry about. if you find a number of ports probed from the same address, then its time to take it personnally.

[Maverick811]

Originally posted by Tedob1
it's probably some one with a port scanner checking a range of ip addresses to see if anyone has that port open. nothing you can do about it. as long as that port dosn't show open it'll move on to the next ip number and you don't have anything to worry about. if you find a number of ports probed from the same address, then its time to take it personnally.

Agreed - if your Firebox is stopping those attempts, you are okay. I noticed that your FTP service (proxy) is stopping those attempts. I believe the way the Firebox works is if there is not a service or proxy explicitly enabling or denying connections, then all connection attempts are denied. Does anyone know more on this? What other proxies are you running on the Firebox?

Anyhow - I'll say it again, just keep an eye on it, no need to panic yet.

Hope we've helped...

[wct097]

The only services I am allowing in are HTTP, SMTP, and Lotus Notes.

I allow out AOL, DNS, finger, FTP, HTTP, HTTPS, ping, Realplayer, SMTP, telnet, and whois.

I log incoming Lotus Notes and HTTP. SMTP is logged through our mail server, so I leave it off of the firewall logs.

EDIT: And yes, you've been a great help. And no, I'm not panicing over the probes. I paniced when I figured out I could telnet in from home (the consultants left telnet open!!), but not now.

[zigar]

since i just got my firebox 700 this week i can't say i'm an expert but why don't ya just block the alter.net host range...or if that's a little drastic...you can setup an autoblock rule which can kick in after a certain number of probes...