XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
It is currently Fri Apr 28, 2017 6:06 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 16 posts ] 
Author Message
 Post subject: Is this normal?
PostPosted: Wed Sep 28, 2016 8:28 am 
Offline
User avatar

Joined: Mon Sep 14, 2009 8:51 pm
Posts: 426
Location: Minnesota, USA
I was just poking around in my router utilities because, surprise, surprise, I am having problems with CenturLink service dropping both my phone and Internet several times per hour. Anyway, I noticed the below in system logs (DST removed). That's just part of it. Is somebody really trying to penetrate my system every couple of seconds (note, the 1 hour jump in time at the top is because I reset the modem time zone)?

DATE TIME SYSTEM ACTION
09/28/2016 11:22:39 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=195.191.166.11 DST= PROTO=UDP SPT=53 DPT=7212
09/28/2016 11:22:06 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=179.198.151.238 DST= PROTO=TCP SPT=50474 DPT=23
09/28/2016 10:19:56 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=46.1.42.144 DST= PROTO=TCP SPT=30476 DPT=2323
09/28/2016 10:19:50 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=201.131.180.106 DST= PROTO=TCP SPT=34877 DPT=23
09/28/2016 10:19:34 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=104.16.27.235 DST= PROTO=TCP SPT=80 DPT=59972
09/28/2016 10:19:32 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=72.21.91.66 DST= PROTO=TCP SPT=80 DPT=59971
09/28/2016 10:19:31 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=31.13.69.203 DST= PROTO=TCP SPT=80 DPT=59965
09/28/2016 10:19:31 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=216.58.192.206 DST= PROTO=TCP SPT=80 DPT=59967
09/28/2016 10:19:29 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=104.16.26.235 DST= PROTO=TCP SPT=80 DPT=59973
09/28/2016 10:19:17 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=154.16.199.242 DST= PROTO=TCP SPT=44953 DPT=22
09/28/2016 10:17:28 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=175.136.226.249 DST= PROTO=TCP SPT=12650 DPT=2323
09/28/2016 10:16:14 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=190.190.236.142 DST= PROTO=TCP SPT=30055 DPT=23

I looked up a later IP using Lookup and it reported a computer in .CN which I presume means the Chinese are trying to hack me.


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Wed Sep 28, 2016 9:17 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14367
What all sharing do you have enabled?

On 104.16.27.235… OrgAbuseEmail: abuse@cloudflare.com

Look up others here…

http://ip-lookup.net/index.php


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Wed Sep 28, 2016 10:45 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9180
Location: Caught between the moon and NYC
More than likely they're trying to talk to any IoT devices on your network that have opened port forwards to the outside world, like baby cameras, security cameras, TVs, DVRs... fridges. If its on your network and gets an IP address, it could possibly be a target for them. They also seem to be targeting misconfigured routers that have an open port for the outside world to talk to it (sadly this includes a lot of ISP equipment).

The port and packet types are listed, most of them are either HTTP or Telnet connections, or at least are attempting to masquerade as them. Some are DNS.

The only thing you could possibly do is block Chinese IPs from connecting to the device, which is normally impossible with ISP equipment.

The connections are terminating at the router itself, which is why there's no OUT= listed.

It's not unusual in this day and age... if you have a public IP address you will have funny packets sent your way. The trick is to limit their ability to get into your network (e.g. port forwards, remote administration).

Look at it this way. With IPv6 instead of ending at the firewall they'd be talking directly to each and every IPv6 device on your network, at least given the state of consumer IPv6 firewalls today. So you need a software firewall running on each device on the network, and work out what firewall rules make sense for your environment, while still keeping them at bay. Oh and did I mention that most IoT devices don't have any meaningful firewall?


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Wed Sep 28, 2016 12:09 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
Speaking of the hacking of IoT devices, massive DDoS of Krebs taking him offline for days, made possible by a huge IoT botnet.

https://krebsonsecurity.com/2016/09/the ... ensorship/

And this latest, "...reached nearly 1 Tbps at its peak"

http://hothardware.com/news/latest-iot- ... per-second


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Wed Sep 28, 2016 12:29 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9180
Location: Caught between the moon and NYC
Port 2323 can be thought of as a "secret" port for Telnet, kind of like 8080 is for http. Neither is actually secret at all, but some silly people once thought a different port made it secure, because who's going to port scan the entire internet... :lol:


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Wed Sep 28, 2016 2:22 pm 
Offline
User avatar

Joined: Mon Sep 14, 2009 8:51 pm
Posts: 426
Location: Minnesota, USA
The only things on my network are my MacBook Mavericks, my G4 Tiger, a printer, all going through a wired Ethernet hub through the house air return vent to the router downstairs. It's just every few seconds, 24/7 as far as I can tell. That's a bit much. :(

My router does have Service Blocking, Website Blocking, and I can configure when it is on and off.

"Service Blocking Service blocking provides the ability to block specific Internet services per device." - includes Telnet, FTP, and a long list of others, but from what I can tell it is only really controlling things once they get through, not to ignore what is knocking at the door.

I guess I could tell it to block connections in the wee hours of the morning.

The only thing I have shared is one read-only folder on my G4 which I read from my MacBook.


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Wed Sep 28, 2016 2:50 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9180
Location: Caught between the moon and NYC
Things on the interior of your network shouldn't be accessible from the outside world due to NAT. The exception would be IPv6 which could (and probably would) make it through the router.

Unfortunately everyone gets portscanned all the time and the IPs in use will change as one group moves on to scanning different parts of the internet and others make their way around to your part. The only way to be safe from portscans is to not open up any ports on your router that get redirected to ports on your local systems. uPNP and NAT-PMP do this automagically for apps that would like this kind of access, but most of the time those apps work w/o port forwarding, though occasionally with diminished capacity or functionality. Not to mention hope and pray that the router manufacturer doesn't have any undocumented ports open (most don't) to the router itself.

Obviously if malware gets into your network then all bets are off because at that point its going to be systems inside your network making connections to the outside world, which is normal activity. Can't browse the internet without making a connection.


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Wed Sep 28, 2016 5:43 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5807
Location: NYC
You can check for open ports on your router with Gibson's ShieldsUp

https://www.grc.com/x/ne.dll?bh0bkyd2


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Wed Sep 28, 2016 6:43 pm 
Offline
User avatar

Joined: Mon Sep 14, 2009 8:51 pm
Posts: 426
Location: Minnesota, USA
The Gibson site showed no open ports. The computer did "fail" the port response and solicited TCP parts of the TrueStealth test, but I don't see any way to disable those responding in the router configuration menu. My computer's firewall is also on but disabling port response in the settings didn't affect the Gibson test so I changed the setting back.


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Wed Sep 28, 2016 9:27 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9593
Location: North of the State of Jefferson
Your router blocked the connections attempts, and even if it hadn't, it probably has nowhere to route them inside your network (that is, you likely have nothing listening on any of those ports -- and that will probably remain true until/unless you get some kind of "Internet of Things" <shudder>device), so I'd say everything is fine. The Internet is absolutely deluged with this kind of activity and there's nothing to do about it if you don't have anything for the miscreants/unfriendly governments/security researchers/etc. to connect to.

It's also worth observing that while good IPv6 firewalls are rare in household-grade routers, to connect to an IPv6 device you have to pretty much know the IPv6 address ahead of time, which in practice requires the miscreants/etc to have observed traffic from the device* (because there are too many IPv6 addresses to try them all scattershot, unlike the way you can scan the entire IPv4 Internet in an afternoon).

At any rate, carry on. There's no cause for alarm let alone any kind of action.

- Anonymous

* Yes there are other caveats and corner cases, but I don't think they're relevant to most people.


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Thu Sep 29, 2016 4:20 am 
Offline
User avatar

Joined: Mon Sep 14, 2009 8:51 pm
Posts: 426
Location: Minnesota, USA
My router Advanced Setup does have this (selected features underlined or see comments in [ ] ).:

-------------
IPv4 Firewall
Activating the firewall is optional. When the firewall is activated, security is enhanced, but some network functionality will be lost.

1. Set the stealth mode state.
Stealth Mode: Enabled Disabled

2. Select the IP address or IP addressing type to which the firewall rules should apply.
Addressing Type: All Private IP Addresses

3. Select the Firewall Security Level.
Security Level: Low [medium/high/disabled]

Create Rule

4. Set the firewall table below. Services checked are allowed. (optional) [ Currently Traffic In Traffic Out are checked for all of these except not Traffic In for Windows Messaging and Windows Service ]
Service Service Type Service Port
DirectX Multimedia Control 2300-2400 TCP/UDP, 47624 TCP, 6073 UDP
DirecTV1 Multimedia Control 27161-27163 TCP
DirecTV2 Multimedia Control 27161-27163 TCP
DirecTV3 Multimedia Control 27161-27163 TCP
DNS Domain Name System 53 UDP
DNSCenturyLink Domain Name System Port 53 to/from CenturyLink anycast addresses 205.171.3.65 205.171.2.65
FTP File Transfer 20 TCP, 21 TCP
FTPS Secure File Transfer 990 TCP
Gamespy Gaming Service 12300 UDP, 27900 UDP, 28900 TCP, 23000-23900 UDP
Gmail Mail Service Incoming 993
Outgoing 465
H.323 Video 1720 TCP
HTTP Web Service 80 TCP
HTTPS Secure Web Service 443 TCP
ICMP Echo Request Type 0
ICMP Echo Reply Type 8
ICMP TTL Expire Type 11 0 – time to live exceeded 1 – fragment reassembly time exceeded
ICMP Trace route Type – 30 Trace route by Windows
IMAP Mail Service 143 TCP
IMAPS Mail Service 993 TCP
IPP Remote Printing 631 TCP
IPSEC VPN Service 50 TCP, 51-500 UDP
IRC Chat Service 113 TCP, 194 TCP, 1024-1034 TCP, 6661-7000 TCP
L2TP VPN Service 1701 UDP
MSN Gaming Gaming Service 28800-29100 TCP/ UDP
MySQL Database Management 3306 TCP
Napster 6702 TCP
NNTP Newsgroup 119 TCP
NTP Network Time 123 TCP
Oracle SQL Database Management 66 TCP, 1525 TCP
PC Anywhere Remote Management 66 TCP, 1525 TCP, 5631 TCP/ UDP, 5532 TCP/ UDP
PPTP VPN Service All GRE, 1723 TCP
POP3 Mail Service 110 TCP
POP3S Secure Mail Service 995 TCP
PS2 / PS3 Gaming Console 4658 TCP/ UDP, 4659 TCP/ UDP
RIP Web Service 520 UDP
REAL A/V Audio/ Video 7070 TCP, 6970-7170 UDP
Real Server/ Quick Time Audio/ Video 7070 TCP, 6970-7170 UDP
RTP 16384 - 16482 TCP
SFTP Secure File Transfer 22 TCP, 115 TCP
SIP Session Control 5060 TCP/ UDP, 5063 TCP/ UDP
SlingBox Audio/Video 5001 TCP
SMTP Mail Service 25 TCP
SQL Database Management 1433 TCP
SSH Secure Remote Management 22 TCP
T120 Conferencing Service 1503 TCP
Telnet Remote Management 23 TCP
VNC Remote Management 5500 TCP, 5800 TCP, 5801 TCP, 5900 TCP, 5901 TCP
Windows Messaging 1024 - 1030 TCP
Windows Service 135 - 139 TCP, 445 TCP, 1434 TCP
XBox Gaming Console 53 TCP/ UDP, 88 UDP, 3074 TCP/ UDP
Xbox 360 #2 Gaming Console 15980 TCP
Xbox 360 #3 Gaming Console 24687 TCP/ UDP
Xbox 360 Kinect Gaming Console 1863 TCP/ UDP
Yahoo Messenger with Client Directory Chat Service 500-5010 TCP, 5050 TCP, 5100 TCP, 6600-6699 TCP
All Other Ports All ports except the ports noted in the applications above All Undefined Ports
-----------

It also has:

------------
IPv6 Firewall Activating the firewall is optional. When the firewall is activated, security is enhanced, but some network functionality will be lost.

1. Set the stealth mode state.
Stealth Mode: Enabled Disabled

2. Set the firewall state.
Firewall: Enabled Disabled

3. Set the firewall traffic states below.
Traffic In: Allow Block
Traffic Out: Allow Block
------------

Q. Should I change the security level on the IPv4 to anything higher?

Q. Should I turn on stealth mode for these two?

Q. There's a ton of options in the IPv4 settings #4, some of which I know I don't use such as XBox and other game and TV things. Is there any advantage to disabling those?


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Thu Sep 29, 2016 12:13 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9180
Location: Caught between the moon and NYC
Stealth mode just means it doesn't return any response if a port is closed or you ping the router. It ultimately does nothing for security because the open ports are still open and those are what you should concentrate on. Attackers no longer scan a few random ports to check if a system is online and then move on, they scan every single port from every single IP whether it responds or not, making stealth mode essentially worthless. Enabling it or disabling it won't make a bit of difference.

As for what the firewall settings (low, medium, etc.) does I'd have to read the manual for your unit (and sorry if you've mentioned it before). I would guess low allows all traffic through and high allows only defined traffic through (stuff defined in 4), but you've got me on medium.


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Thu Sep 29, 2016 12:58 pm 
Offline
User avatar

Joined: Mon Sep 14, 2009 8:51 pm
Posts: 426
Location: Minnesota, USA
Apparently CL-Technicolor never published a manual for this router. :nothappy: There's an online watered-down version at http://internethelp.centurylink.com/int ... ewall.html They don't say what the level settings do for the Firewall but when I selected "medium" a bunch of check marks for the "in traffic" selection next to a bunch of lines disappeared so I guess that's what they do. Any recommendations for settings or should I just take a try it and see approach?

As I said earlier, that Shields web site didn't see any open ports from me. I did try the stealth setting for iPv4 and the Shields site gave a perfect score but if you say it doesn't really help any then no matter about stealth.


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Thu Sep 29, 2016 2:30 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9180
Location: Caught between the moon and NYC
Yeah, without a manual you're stuck with a try it and see if you can live with it.

I'd say you're in a good boat right now, nobody on the outside world can talk in


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Thu Sep 29, 2016 5:03 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9593
Location: North of the State of Jefferson
Household-grade network devices, as a rule, have useless firewalls that tend to only break innocent traffic. In your case, most of your security will come from as a side effect of network address translation (NAT), that is having a private network created by the router that requires explicit translation of network addresses to move data between the public <---> private sides of the router. NAT is usually used to allow many private IP addresses, hence many devices, to communicate through just a single public IP address.

That may sound kind of technical, but it boils down to the router having no way to forward data unless there's already some kind of rule to get it to the right place. That rule is usually that you've requested the data from inside your network.

That's strictly different than a firewall. A firewall behaves explicitly by dropping or rejecting data that do/don't match specific rules. You can have a firewall without NAT, but normal NAT behaves like an implicit firewall. That's also why IPv6 feels like a hole: since there are so many IP addresses in an IPv6 network, there's no need for NAT's one-to-many behavior, so it's not used on IPv6 networks, but since there's no translation of network addresses from public to private network and back again, incoming data aren't inherently blocked. So for IPv6 you may well want an honest to God firewall.

On the other hand, most computer intrusion these days (at least against normal computers, as opposed to "Internet of Things" <shudder> devices) is probably not from exploiting open services: it's from malicious software installed by out of date Flash plugins, Java applets, browser holes, broken bitorrent clients, maliciously crafted text messages and so forth...none of which a conventional firewall will protect you against in the least.

To illustrate, my computer at home has several open ports exposed directly to the Internet, including SSH which allows someone to log in to a command prompt remotely. I do, however, have adequate confidence that the SSH server and my account are sufficiently secure that I don't worry about it. I block the most concerted attacks simply to keep my logs tidy. At work my computer has a public IP address and no significant firewall. As long as I'm not running a vulnerable service, this is not a security problem.

I wouldn't bother changing any of your router's settings.

- Anonymous


Top
 Profile  
 
 Post subject: Re: Is this normal?
PostPosted: Thu Sep 29, 2016 8:19 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9180
Location: Caught between the moon and NYC
I believe his firewall would block outbound connections on high except for those specifically defined under firewall settings. This is certainly problematic unless of course you go through the trouble of defining all the outbound traffic.

On the other hand this still wouldn't protect you if the malware gets into one of the internal systems, since it will connect to a web server or mimic a connection to a web server and get through that way (e.g. port 80 tcp), possibly https (port 443 tcp) if they want to encrypt the traffic.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group