Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User meditator
(fountain of knowledge) Sun 27-May-12 00:22:17
Print Post

Are these 'hacking' attempts any cause for concern?


[link to this post]
 
The situation is that I've installed a new ADSL router (Billion 7800) and am finding that after just a couple of days I've accumulated 'hacking' attempts of the following sort in the router's Firewall Log:

<Date, time> home user info kernel:HackAttack [SPI illegal connection state attack]
ICMP packer from [ppp_0_0_38_1] <non-LAN IP address> to <My WAN address>


The non-LAN IP Address has changed with time. Over about 2 days I've had about 10 ocurrences of these.

Are these logs any cause for concern? Or are they simply some sort of Internet-based scanner attempts on my WAN address?

In the configuration of the 7800 I do have Intrusion Detection enabled, so perhaps this list has resulted because of that? Is it perhaps of no great use to enable Intrusion Detection?

I'm presuming that, as long as I keep NAT enabled, hackers will be unable to reach my LAN, or even detect the presence of my router. Is that the case? I've also disabled WAN Ping.
Standard User camieabz
(sensei) Sun 27-May-12 00:40:36
Print Post

Re: Are these 'hacking' attempts any cause for concern?


[re: meditator] [link to this post]
 
In reply to a post by meditator:
Are these logs any cause for concern? Or are they simply some sort of Internet-based scanner attempts on my WAN address?

In the configuration of the 7800 I do have Intrusion Detection enabled, so perhaps this list has resulted because of that? Is it perhaps of no great use to enable Intrusion Detection?

I'm presuming that, as long as I keep NAT enabled, hackers will be unable to reach my LAN, or even detect the presence of my router. Is that the case? I've also disabled WAN Ping.


On the first point, my instinct is the latter, but monitor the numbers and see if they rise at all or drop off completely. Dramatic fluctuations might (not do) indicate targetting of your WAN IP.

What do you need intrusion detection for? If it's just for seeing the attacks, and you can't or won't do anything about the attacks, then from a certain point of view, IDS is pointless. However, if you were running a server or remote NAS from the router, it might be worth keeping for stats, so you might spot changing volumes of attacks (then you're into the realms of what would you do about it? smile ). If your IDS is capable of blocking attacks, then that's different.

With NAT on it will be far more difficult for any form of unsolicited connection to get through (I never say impossible, because nothing is 100% secure). However, anything you establish is opening up the network to nasties. Visiting dodgy sites with trojans or worms will still be of risk, since you are making the connection.

With the WAN ping down, it won't respond to ICMP requests, so will be hiding. However, you'll need said requests if the TBB ping tool is to be used.

Personally I use a NAT router, and a software firewall / AV program. Belt and braces.

~ Camieabz ~

All Connection Data ~ plusnet

mod'er·a'tion n.
Synonyms: temperance, restraint, modesty.
Standard User camieabz
(sensei) Sun 27-May-12 01:01:49
Print Post

Re: Are these 'hacking' attempts any cause for concern?


[re: meditator] [link to this post]
 
On a side note, I suggest that you change the admin login details if possible, disable any defaults logins, such as guest, engineer, remote or similar, and assign a long, complicated password for access. Too many people leave the default router access stuff in place. It's an open door for opportunists.

~ Camieabz ~

All Connection Data ~ plusnet

mod'er·a'tion n.
Synonyms: temperance, restraint, modesty.


Register (or login) on our website and you will not see this ad.

Standard User meditator
(fountain of knowledge) Sun 27-May-12 11:10:57
Print Post

Re: Are these 'hacking' attempts any cause for concern?


[re: camieabz] [link to this post]
 
Yeh, I agree with what you state above, camieabz. However, with your additional reply there, I've mixed feelings about the effectiveness of login/passwords for access to, say, the router's GUI. By definition, the login/password can only be something that's used from the LAN side - at least, I think that's the case - so if an external agent, ie. from the Internet, is somehow able to use the login/password, then surely that implies that that agent has already got past the NAT, the software firewall and other protective measures and is firmly embedded in the computer(s)? Some form of spyware, for instance. That being so, it's my contention that having a unique login/password probably isn't going to help in that kind of situation. It'd be locking the stable door after the horse has bolted. Of course, it'd be a different consideration if, in the home or commercial environment, there are several different users around and you merely want to protect settings from being seen or tampered with by unauthorised individuals or children. That, I believe, is first and foremost the reason for the provision of the router's login/password. Incidentally, I do normally use logins/passwords, it's just that I don't regard them as providing that much better security than any defaults, except in the latter administrative case. Anyway, camieabz, I don't want to get into a big discussion about logins/passwords, as this topic is instead supposed to be about external scanners and the like.
Moderator billford
(moderator) Sun 27-May-12 11:35:38
Print Post

Re: Are these 'hacking' attempts any cause for concern?


[re: meditator] [link to this post]
 
In reply to a post by meditator:
By definition, the login/password can only be something that's used from the LAN side
On the 7800N remote access can be enabled, with time and IP limits (Advanced => Configuration => Advanced => Remote Access) but by default it's disabled.

Re the hacking attempts in your OP- I get a lot of them too, as do many other people. Try Googling for ICMP packer.

I just ignore them.

Bill
bill@thinkbroadband.com __________________Planes and Boats and ... __________________BQM

Edited by billford (Sun 27-May-12 11:36:57)

The author of the above post is a thinkbroadband moderator but it does not constitute an official statement on behalf of thinkbroadband.
Standard User flippery
(learned) Sun 27-May-12 11:36:14
Print Post

Re: Are these 'hacking' attempts any cause for concern?


[re: meditator] [link to this post]
 
Do not think these are a cause for concern, provided you have taken normal measures on router. As mentioned previously
probably automated from a accessed website.
I reset security log on router, after 3 attempts in old log, nothing since.
Standard User Pipexer
(eat-sleep-adslguide) Sun 27-May-12 12:30:33
Print Post

Re: Are these 'hacking' attempts any cause for concern?


[re: meditator] [link to this post]
 
Changing the login for your router is always a good idea.

If you have wireless enabled, let's say someone cracks the password, they can then login to your router and export the config, which usually has your username and password in plain text, which is often also the login to your webmail, so they could then potentially gain access to your email. Or they could mess with the settings on the router to stop it working properly - denial of service.

Anyway, regarding the firewall logs, I wouldn't worry, probably a false positive or some automated port scan attempt. I don't even have the firewall enabled on my router.

Zen 8000 Pro
Standard User meditator
(fountain of knowledge) Sun 27-May-12 13:29:42
Print Post

Re: Are these 'hacking' attempts any cause for concern?


[re: Pipexer] [link to this post]
 
Pipexer, you've rather missed the fact that it's the non-wireless version of this model that I've got. So there's no possible potential for the cracking of any wireless password. The only external attack on my setup that could take place is one that'd come down the wire-pair from the exchange, straight to the router and thence the rest of my system.

Edited by meditator (Sun 27-May-12 13:34:00)

Standard User Pipexer
(eat-sleep-adslguide) Sun 27-May-12 14:05:27
Print Post

Re: Are these 'hacking' attempts any cause for concern?


[re: meditator] [link to this post]
 
Just change the password, there's no reason to leave it as the default. There are also known exploits where the router is tricked into thinking the connection is coming from the LAN rather than the internet. The code of router firmware is not as heavily scrutinized as your friendly enterprise class cisco router so it's good practice to get it changed to something non-standard.

Zen 8000 Pro
Standard User nredwood
(eat-sleep-adslguide) Tue 29-May-12 19:46:05
Print Post

Re: Are these 'hacking' attempts any cause for concern?


[re: camieabz] [link to this post]
 
Will likely be IDS kicking in as a result of what is farly normal Internet activity

As long as you have changed from the default router admin password, you are safe

Be* Unlimited
Pages in this thread: 1 | 2 | (show all)   Print Thread

Jump to