• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 313
  • Last Modified:

Security Logs

I have been looking though the logs generated by my access-lists to see what traffic has been blocked and I have noticed a few things that concern me and would like some suggestiosn on what I shoudl do about it.  I consistently see the same IP Addresses trying ot conenct to port 80, 22 and 42 on a few of my public devices.  What, if anything,  can/should I do about this?  I am lookign for additoina security measures as well as legal recourses.
1 Solution
Post your log here.
I am always a little cautious about such things. The internet is a very public place with losts of junk traffic and machines that are hacked/breached and spreading virus's which blindly scan anything and everything. Its not unusual to see this kind of stuff.

In most cases, unless you are a high profile company or orgnsiation, these things tend to be some other persons machine infected with a virus or taken over to scan for other vulnerable devices. You should give the owners a chance to look into it first so to that end, lookup who has been allocated that IP and if they have contacts listed, I suggest you raise it with them directly, failing that, send a portion of your logs and complan to their ISP, you are blocking the traffic so yu are not in any danger while you wait for a response.

If you suspect this is a genuine attack, you'll need more info.

You need to work out if this is a targetted attack or if its just part of the general noise that is constantly out there. to that end I suggest you install an IDS (eg. Snort  is free) and monitor what it is they are trying to do on those ports and keep an eye on it. If you decide to pursue it legally, you will need detailed logs. Your access list logs wont help much in understanding what they are doing or if the source has been spoofed so a more detailed log is required. You should also consider enabling logging on your target devices (if they exist) and of course, you need to make sure the source is not being spoofed.

Two things you learn in security:
Never assume something is a hacking attempt.
Never assume something is not a hacking attempt.

This sounds stupid but in your case this could be legit attempts for people to find web servers for instance. SSH has had vulnerabilites in the past, especially on routers but for the most part that's an old one to look for. The one that throws me though is 42, there is an active vulnerability for WINS (late last year at least) so this one does look suspicious. There could be an off chance that if it's the same host, it's infected with a worm that actively searches for open ports to propagate itself.

Here's some info on the WINS exploit:

The next step for you would be to monitor the exact times these are happening, locate the admin and tech contact of the IP block, and drop them an email or phone call if you can. Good luck, sometimes you never get further than that. If you do, and have an admin that will help you, you might be able to track it from there to a specific user. Again, this doesn't mean they were the attacker, it could be they are already hacked and were used as a relay.

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

I'll second the advice on an IDS setup. In addition to giving you more detailed data, they will frequently give you a correlated event (host is actively searching a known exploit, host is actively infected, your being scanned or attacked on IP based attacks, etc.)

If you go to the next guy down the line and have a whole lot of information compared to a few access-list matches, it will carry more weight.

Is this for work?
If so, the answer depends on your corporate incident response policy/plan.

Mine states that I have authority at all times to defend our network.  With evidence as you've mentioned, my policy allows me to place firewall rules on all of our firewalls worldwide to block the subnet of the intruder, open up a incident ticket, and then followup with the upstream ISP of the attacker until I settle the matter with the ISP abuse team (e.g. they promise to deactive the user, contact the user, escalate matter, and send us e-mail regarding the case).

If not and for home, I throw firewall blocks up.  I rather be proactive in stopping any network attempts and monitoring.

For business critical links that cannot support downtime, our policies are a little different, but IDS/IPS and firewall monitoring is at the top of the list for building support to enacting the firewall and ingress router ACLs.
the safest bet if this is a constatnt thing is your ISP's network is configured badly and they have some sort of user validity check in place and it is misbehaving... i should know... i fiex quite a few of this scripts...
do a whois on the ip and you will discover that it is your ISPs or their partners. the ports 80, 22, 42 are most likely used for this reason.
1.  I would lookup the registered owner (netblock owner) of the IP address that appears to be attacking you.
Use this:

Type in the IP address and see who the owner is.

2. When you know the netblock owner, research their webpage to find out what their abuse reporting e-mail is (e.g. abuse@somecompany.com).

Be prepared with logs to corroborate your claims or else the other company will probably ignore your report. Some companies are better than other (e.g. ISPs) because they deal with this more often or are better Netizens.

3. I stand by what I said eariler, throw up firewall or router ACLs for the offending IP address(es). If this is for work, verufy that it's not a partner IP address.

4. As for legal recourse, unless you can prove $50,000 damage the FBI and local authorities will not assist you.  Even if you can prove the monetary damage, their case logs are very long and will take some time to address (unless your name is Paris Hilton).

Let us know if you have more questions.
rshooper76Author Commented:
How would I install IDS?  Would I need to put a box between my dsl modem and my firewall?
Do you have a hub or switch?
If you have a hub, simply place a monitoring port from your IDS to watch traffic.
If you have a switch, you need to mirror the port from your DSL modem and watch the traffic using an IDS.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now