General Discussion
  >> General Broadband Chatter


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread
Standard User crule
(newbie) Tue 29-Jul-14 16:00:51
Print Post

Security


[link to this post]
 
I have been monitoring the activity on my internet line using the event log on my BT series $ router. It make interesting reading Many dozens of times a day stations with IP addresses which resolve to PR of China, N Vietnam and Crimea attempt to access my router. So Far the firewall is holding
Standard User caffn8me
(knowledge is power) Wed 30-Jul-14 12:00:54
Print Post

Re: Security


[re: crule] [link to this post]
 
In the last few minutes I've had the following locked out by my firewall; It's quite an international gsthering;

93.174.93.51 - Netherlands - server.anonymous-hosting-service.com. 
80.82.70.148 - Netherlands - hosted-by.ecatel.net.
49.206.0.110 - India - 110.0.206.49-ras.beamtele.net 
124.7.109.7 - India - segment-124-7.sify.net.
58.213.120.44 - China - no hostname
217.131.216.129 - China - no hostname
123.157.150.56 - China - no hostname
113.14.26.10 - China - no hostame
61.147.103.138 - China - no hostname
198.20.70.115 - USA - census3.shodan.io.
66.240.236.119 - USA - census6.shodan.io.
209.79.68.215 - USA - user68x215.ocde.k12.ca.us.
190.43.93.220 - Peru - no hostname
196.0.29.22 - Uganda - bandwidthmgr.utlonline.co.ug.
77.106.76.34 - Russia - user-77-106-76-34.tomtelnet.ru.
93.120.27.62 - Romania - no-rdns.free.clues.ro.
217.131.216.129 - Turkey - host-217-131-216-129.reverse.superonline.net.

That means they have probed specific trigger ports, run port or address space scans, or sent packets with disallowed IP options.

The first Netherlands server seems to be a well known offender: https://www.badips.com/info/93.174.93.51 - the second may be related as it's on the same ISP's network.

The shodan.io hits are from a search engine which seems to have been designed to help hackers - see http://en.wikipedia.org/wiki/Shodan_%28website%29

China seems to be very busy but the USA is not far behind.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User caffn8me
(knowledge is power) Thu 31-Jul-14 01:02:59
Print Post

Re: Security


[re: caffn8me] [link to this post]
 
What a difference a few hours make. Right now my firewall shows 165 hosts currently blocked. That's a massive number - including a lot of activity from the Koreans.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs


Register (or login) on our website and you will not see this ad.

Standard User crule
(newbie) Thu 31-Jul-14 06:26:33
Print Post

Re: Security


[re: caffn8me] [link to this post]
 
Yep, its certainly dangerous ou there.
Just checked again my experience is very similar.
I guess we just have to rely on the firewall holding.
Standard User BatBoy
(legend) Thu 31-Jul-14 08:42:21
Print Post

Re: Security


[re: crule] [link to this post]
 
How do you know "the firewall is holding" ?


______________________________________________________________________________________False_Authority_Syndrome__________________
Standard User crule
(newbie) Thu 31-Jul-14 08:47:17
Print Post

Re: Security


[re: BatBoy] [link to this post]
 
All i can see is the packets being blocked.
however if you know more............?
Standard User Zadeks
(experienced) Thu 31-Jul-14 09:50:14
Print Post

Re: Security


[re: crule] [link to this post]
 
All routers drop unsolicited traffic by design. It's nothing to worry about.

You can harden your router by disabling remote access and UPnP.
Standard User camieabz
(sensei) Thu 31-Jul-14 10:06:28
Print Post

Re: Security


[re: caffn8me] [link to this post]
 
In reply to a post by caffn8me:
The shodan.io hits are from a search engine which seems to have been designed to help hackers - see http://en.wikipedia.org/wiki/Shodan_%28website%29


Some basic IT security should stop a lot of its efforts. Complex, long passwords for a start. From a web server perspective, I found that the majority of probes, script kiddies and so on get stopped by adding a half dozen key rules to the .htaccess file (I suppose the same could be done at the firewall level).
Standard User Andrue
(knowledge is power) Thu 31-Jul-14 11:30:16
Print Post

Re: Security


[re: crule] [link to this post]
 
In reply to a post by crule:
I have been monitoring the activity on my internet line using the event log on my BT series $ router. It make interesting reading Many dozens of times a day stations with IP addresses which resolve to PR of China, N Vietnam and Crimea attempt to access my router. So Far the firewall is holding
You should see what my email server logs show:

30/7/2014 1:49:59.597 - Unknown User for guest@***.me.uk in SMTP from 223.255.191.92
30/7/2014 1:50:00.034 - Access Restriction block for guest@***.me.uk in SMTP from 223.255.191.92
30/7/2014 3:34:19.732 - Unknown User for linux@***.me.uk in SMTP from 119.75.11.68
30/7/2014 3:34:20.216 - Access Restriction block for linux@***.me.uk in SMTP from 119.75.11.68
30/7/2014 4:45:41.362 - Unknown User for admin@***.me.uk in SMTP from 203.113.206.105
30/7/2014 4:45:41.986 - Access Restriction block for admin@***.me.uk in SMTP from 203.113.206.105
30/7/2014 6:23:56.628 - Unknown User for scan@***.me.uk in SMTP from 113.160.154.78
30/7/2014 6:23:57.237 - Access Restriction block for scan@***.me.uk in SMTP from 113.160.154.78
30/7/2014 6:59:50.399 - Unknown User for server@***.me.uk in SMTP from 190.189.92.132
30/7/2014 6:59:50.930 - Access Restriction block for server@***.me.uk in SMTP from 190.189.92.132
30/7/2014 7:09:17.101 - Unknown User for scanner@***.me.uk in SMTP from 118.140.15.34
30/7/2014 7:09:17.663 - Access Restriction block for scanner@***.me.uk in SMTP from 118.140.15.34
30/7/2014 8:24:06.571 - Unknown User for manager@***.me.uk in SMTP from 202.158.33.211
30/7/2014 8:24:07.117 - Access Restriction block for manager@***.me.uk in SMTP from 202.158.33.211
30/7/2014 9:01:17.063 - Unknown User for library@***.me.uk in SMTP from 212.179.214.48
30/7/2014 9:01:17.250 - Access Restriction block for library@***.me.uk in SMTP from 212.179.214.48
30/7/2014 11:31:43.660 - Unknown User for admin1@***.me.uk in SMTP from 196.46.142.79
30/7/2014 11:31:44.206 - Access Restriction block for admin1@***.me.uk in SMTP from 196.46.142.79
30/7/2014 12:56:27.100 - Unknown User for guest@***.me.uk in SMTP from 223.255.191.92
30/7/2014 12:56:27.553 - Access Restriction block for guest@***.me.uk in SMTP from 223.255.191.92
30/7/2014 14:43:23.657 - Unknown User for asdd in SMTP from 89.248.166.147
30/7/2014 15:28:54.083 - Unknown User for xxx in SMTP from 89.248.166.147
30/7/2014 16:17:13.176 - Unknown User for scan@***.me.uk in SMTP from 113.160.154.78
30/7/2014 16:17:13.769 - Access Restriction block for scan@***.me.uk in SMTP from 113.160.154.78
30/7/2014 16:35:00.452 - Unknown User for linux@***.me.uk in SMTP from 119.75.11.68

And that's just a v. small selection, there's also various POP3 attempts. My firewall stops a lot of things but my poor ol' mail server has to keep its head sticking above the parapet.

Back in January a config change on my part almost caused me to go over the 100GB allowance I had with my ISP at that time blush

I've now fixed that change and moved to an ISP without allowances smile

---
Andrue Cope
Brackley, UK

Edited by Andrue (Thu 31-Jul-14 11:32:58)

Standard User techguy
(experienced) Thu 31-Jul-14 13:15:39
Print Post

Re: Security


[re: Andrue] [link to this post]
 
Just your firewall doing its job, nothing to worry about.

I pay a company about 11 quid a year for mail hosting as it means I don't have to have anything in a DMZ, far easier.

Virgin (ADSL) => Namesco => Newnet => O2 => Plusnet => Zen => Newnet => Zen => Freeola => Vivaciti (using O2 Wholesale DSL) => Xilo (C&W Wholesale) => Xilo (O2 Wholesale) => Xilo (TT Wholesale due to O2 Wholesale closure) => Zen LLU
Router: Billion 7800N
Note: I don't lay turf for anyone. astro or otherwise, all views and opinions expressed are my own based on experience.
Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread

Jump to