Security

I have been monitoring the activity on my internet line using the event log on my BT series $ router. It make interesting reading Many dozens of times a day stations with IP addresses which resolve to PR of China, N Vietnam and Crimea attempt to access my router. So Far the firewall is holding

In the last few minutes I've had the following locked out by my firewall; It's quite an international gsthering;

93.174.93.51 - Netherlands - server.anonymous-hosting-service.com. 
80.82.70.148 - Netherlands - hosted-by.ecatel.net.
49.206.0.110 - India - 110.0.206.49-ras.beamtele.net 
124.7.109.7 - India - segment-124-7.sify.net.
58.213.120.44 - China - no hostname
217.131.216.129 - China - no hostname
123.157.150.56 - China - no hostname
113.14.26.10 - China - no hostame
61.147.103.138 - China - no hostname
198.20.70.115 - USA - census3.shodan.io.
66.240.236.119 - USA - census6.shodan.io.
209.79.68.215 - USA - user68x215.ocde.k12.ca.us.
190.43.93.220 - Peru - no hostname
196.0.29.22 - Uganda - bandwidthmgr.utlonline.co.ug.
77.106.76.34 - Russia - user-77-106-76-34.tomtelnet.ru.
93.120.27.62 - Romania - no-rdns.free.clues.ro.
217.131.216.129 - Turkey - host-217-131-216-129.reverse.superonline.net.

That means they have probed specific trigger ports, run port or address space scans, or sent packets with disallowed IP options.

The first Netherlands server seems to be a well known offender: https://www.badips.com/info/93.174.93.51 - the second may be related as it's on the same ISP's network.

The shodan.io hits are from a search engine which seems to have been designed to help hackers - see http://en.wikipedia.org/wiki/Shodan_%28website%29

China seems to be very busy but the USA is not far behind.

What a difference a few hours make. Right now my firewall shows 165 hosts currently blocked. That's a massive number - including a lot of activity from the Koreans.

Yep, its certainly dangerous ou there.
Just checked again my experience is very similar.
I guess we just have to rely on the firewall holding.

How do you know "the firewall is holding" ?

All i can see is the packets being blocked.
however if you know more............?

All routers drop unsolicited traffic by design. It's nothing to worry about.

You can harden your router by disabling remote access and UPnP.

In reply to a post by caffn8me:

The shodan.io hits are from a search engine which seems to have been designed to help hackers - see http://en.wikipedia.org/wiki/Shodan_%28website%29

Some basic IT security should stop a lot of its efforts. Complex, long passwords for a start. From a web server perspective, I found that the majority of probes, script kiddies and so on get stopped by adding a half dozen key rules to the .htaccess file (I suppose the same could be done at the firewall level).

In reply to a post by crule:

I have been monitoring the activity on my internet line using the event log on my BT series $ router. It make interesting reading Many dozens of times a day stations with IP addresses which resolve to PR of China, N Vietnam and Crimea attempt to access my router. So Far the firewall is holding

You should see what my email server logs show:

30/7/2014 1:49:59.597 - Unknown User for guest@***.me.uk in SMTP from 223.255.191.92
30/7/2014 1:50:00.034 - Access Restriction block for guest@***.me.uk in SMTP from 223.255.191.92
30/7/2014 3:34:19.732 - Unknown User for linux@***.me.uk in SMTP from 119.75.11.68
30/7/2014 3:34:20.216 - Access Restriction block for linux@***.me.uk in SMTP from 119.75.11.68
30/7/2014 4:45:41.362 - Unknown User for admin@***.me.uk in SMTP from 203.113.206.105
30/7/2014 4:45:41.986 - Access Restriction block for admin@***.me.uk in SMTP from 203.113.206.105
30/7/2014 6:23:56.628 - Unknown User for scan@***.me.uk in SMTP from 113.160.154.78
30/7/2014 6:23:57.237 - Access Restriction block for scan@***.me.uk in SMTP from 113.160.154.78
30/7/2014 6:59:50.399 - Unknown User for server@***.me.uk in SMTP from 190.189.92.132
30/7/2014 6:59:50.930 - Access Restriction block for server@***.me.uk in SMTP from 190.189.92.132
30/7/2014 7:09:17.101 - Unknown User for scanner@***.me.uk in SMTP from 118.140.15.34
30/7/2014 7:09:17.663 - Access Restriction block for scanner@***.me.uk in SMTP from 118.140.15.34
30/7/2014 8:24:06.571 - Unknown User for manager@***.me.uk in SMTP from 202.158.33.211
30/7/2014 8:24:07.117 - Access Restriction block for manager@***.me.uk in SMTP from 202.158.33.211
30/7/2014 9:01:17.063 - Unknown User for library@***.me.uk in SMTP from 212.179.214.48
30/7/2014 9:01:17.250 - Access Restriction block for library@***.me.uk in SMTP from 212.179.214.48
30/7/2014 11:31:43.660 - Unknown User for admin1@***.me.uk in SMTP from 196.46.142.79
30/7/2014 11:31:44.206 - Access Restriction block for admin1@***.me.uk in SMTP from 196.46.142.79
30/7/2014 12:56:27.100 - Unknown User for guest@***.me.uk in SMTP from 223.255.191.92
30/7/2014 12:56:27.553 - Access Restriction block for guest@***.me.uk in SMTP from 223.255.191.92
30/7/2014 14:43:23.657 - Unknown User for asdd in SMTP from 89.248.166.147
30/7/2014 15:28:54.083 - Unknown User for xxx in SMTP from 89.248.166.147
30/7/2014 16:17:13.176 - Unknown User for scan@***.me.uk in SMTP from 113.160.154.78
30/7/2014 16:17:13.769 - Access Restriction block for scan@***.me.uk in SMTP from 113.160.154.78
30/7/2014 16:35:00.452 - Unknown User for linux@***.me.uk in SMTP from 119.75.11.68

And that's just a v. small selection, there's also various POP3 attempts. My firewall stops a lot of things but my poor ol' mail server has to keep its head sticking above the parapet.

Back in January a config change on my part almost caused me to go over the 100GB allowance I had with my ISP at that time

I've now fixed that change and moved to an ISP without allowances

Edited by Andrue (Thu 31-Jul-14 11:32:58)

Just your firewall doing its job, nothing to worry about.

I pay a company about 11 quid a year for mail hosting as it means I don't have to have anything in a DMZ, far easier.

In reply to a post by techguy:

I pay a company about 11 quid a year for mail hosting as it means I don't have to have anything in a DMZ, far easier.

A DMZ shouldn't be involved at all for hosting a mail server, just maybe one or two ports forwarded.

In reply to a post by Oliver341:

In reply to a post by techguy:

I pay a company about 11 quid a year for mail hosting as it means I don't have to have anything in a DMZ, far easier.

A DMZ shouldn't be involved at all for hosting a mail server, just maybe one or two ports forwarded.

Indeed, 25 and 110 at a minimum. Others may be useful

In reply to a post by Andrue:

Indeed, 25 and 110 at a minimum. Others may be useful

If POP3 access is intended to be exclusively from within the LAN, even port 110 (or 995 for POP3 SSL) may not be required to be forwarded.

In reply to a post by BatBoy:

How do you know "the firewall is holding" ?

Perhaps by the fact that internal firewalls are not being hit?

I found an interesting link which shows threats in real time.
The link is

http://map.ipviking.com

In reply to a post by Andrue:

You should see what my email server logs show:

My highlight of yesterday was a sustained SMTP flood originating from Vietnam. Needless to say, I've now blocked the originating netblock permanently.

In reply to a post by crule:

I found an interesting link which shows threats in real time.
The link is

http://map.ipviking.com

It's interesting to see that ssh attacks are the most prevalent. I suspect this is only the case since the heartbleed bug.

In reply to a post by crule:

I found an interesting link which shows threats in real time.
The link is

http://map.ipviking.com

I was watching that page for about 20 mins, man China hates the US LOL massive burst attacks even slowed me browser down, did about 1200 attacks at once
That page reminds me of Wargames, "How about a nice game of Chess"

Good link, but the current Canadian happenings are making up 2/3rds of things (Canada attacking Canada on ha-cluster). This is slowing down the page, I think.

The attack on USA from China did it for me.
However Canada was in second place when I was watching it.

I see what you mean. I thought that Canada was the busy place, but it was a lull from China at the time.

It's good to see that the UK doesn't feature highly in either list, if ever on the attacker list.

By the way, it was very slow for me in Firefox. I saw the "Too slow? Try Chrome." message, gave a whirl, and it is very fast. Designed for Chrome, it seems.

In reply to a post by camieabz:

I see what you mean. I thought that Canada was the busy place, but it was a lull from China at the time.

LOL, I was looking for the Fire Nukes Button, you know the BIG RED one

In reply to a post by camieabz:

It's good to see that the UK doesn't feature highly in either list, if ever on the attacker list.

Yeah, I never saw any from the UK, and we only got 5 sent to us.