rshooper76
asked on
Security Logs
I have been looking though the logs generated by my access-lists to see what traffic has been blocked and I have noticed a few things that concern me and would like some suggestiosn on what I shoudl do about it. I consistently see the same IP Addresses trying ot conenct to port 80, 22 and 42 on a few of my public devices. What, if anything, can/should I do about this? I am lookign for additoina security measures as well as legal recourses.
rafael_acc
Post your log here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Two things you learn in security:
Never assume something is a hacking attempt.
Never assume something is not a hacking attempt.
This sounds stupid but in your case this could be legit attempts for people to find web servers for instance. SSH has had vulnerabilites in the past, especially on routers but for the most part that's an old one to look for. The one that throws me though is 42, there is an active vulnerability for WINS (late last year at least) so this one does look suspicious. There could be an off chance that if it's the same host, it's infected with a worm that actively searches for open ports to propagate itself.
Here's some info on the WINS exploit:
http://redmondmag.com/news/article.asp?EditorialsID=6471
http://www.immunitysec.com/downloads/instantanea.pdf
The next step for you would be to monitor the exact times these are happening, locate the admin and tech contact of the IP block, and drop them an email or phone call if you can. Good luck, sometimes you never get further than that. If you do, and have an admin that will help you, you might be able to track it from there to a specific user. Again, this doesn't mean they were the attacker, it could be they are already hacked and were used as a relay.
-skpruett
Never assume something is a hacking attempt.
Never assume something is not a hacking attempt.
This sounds stupid but in your case this could be legit attempts for people to find web servers for instance. SSH has had vulnerabilites in the past, especially on routers but for the most part that's an old one to look for. The one that throws me though is 42, there is an active vulnerability for WINS (late last year at least) so this one does look suspicious. There could be an off chance that if it's the same host, it's infected with a worm that actively searches for open ports to propagate itself.
Here's some info on the WINS exploit:
http://redmondmag.com/news/article.asp?EditorialsID=6471
http://www.immunitysec.com/downloads/instantanea.pdf
The next step for you would be to monitor the exact times these are happening, locate the admin and tech contact of the IP block, and drop them an email or phone call if you can. Good luck, sometimes you never get further than that. If you do, and have an admin that will help you, you might be able to track it from there to a specific user. Again, this doesn't mean they were the attacker, it could be they are already hacked and were used as a relay.
-skpruett
I'll second the advice on an IDS setup. In addition to giving you more detailed data, they will frequently give you a correlated event (host is actively searching a known exploit, host is actively infected, your being scanned or attacked on IP based attacks, etc.)
If you go to the next guy down the line and have a whole lot of information compared to a few access-list matches, it will carry more weight.
-skpruett
If you go to the next guy down the line and have a whole lot of information compared to a few access-list matches, it will carry more weight.
-skpruett
Is this for work?
If so, the answer depends on your corporate incident response policy/plan.
Mine states that I have authority at all times to defend our network. With evidence as you've mentioned, my policy allows me to place firewall rules on all of our firewalls worldwide to block the subnet of the intruder, open up a incident ticket, and then followup with the upstream ISP of the attacker until I settle the matter with the ISP abuse team (e.g. they promise to deactive the user, contact the user, escalate matter, and send us e-mail regarding the case).
If not and for home, I throw firewall blocks up. I rather be proactive in stopping any network attempts and monitoring.
For business critical links that cannot support downtime, our policies are a little different, but IDS/IPS and firewall monitoring is at the top of the list for building support to enacting the firewall and ingress router ACLs.
If so, the answer depends on your corporate incident response policy/plan.
Mine states that I have authority at all times to defend our network. With evidence as you've mentioned, my policy allows me to place firewall rules on all of our firewalls worldwide to block the subnet of the intruder, open up a incident ticket, and then followup with the upstream ISP of the attacker until I settle the matter with the ISP abuse team (e.g. they promise to deactive the user, contact the user, escalate matter, and send us e-mail regarding the case).
If not and for home, I throw firewall blocks up. I rather be proactive in stopping any network attempts and monitoring.
For business critical links that cannot support downtime, our policies are a little different, but IDS/IPS and firewall monitoring is at the top of the list for building support to enacting the firewall and ingress router ACLs.
the safest bet if this is a constatnt thing is your ISP's network is configured badly and they have some sort of user validity check in place and it is misbehaving... i should know... i fiex quite a few of this scripts...
do a whois on the ip and you will discover that it is your ISPs or their partners. the ports 80, 22, 42 are most likely used for this reason.
do a whois on the ip and you will discover that it is your ISPs or their partners. the ports 80, 22, 42 are most likely used for this reason.
1. I would lookup the registered owner (netblock owner) of the IP address that appears to be attacking you.
Use this:
http://www.ip2location.com/free.asp
Type in the IP address and see who the owner is.
2. When you know the netblock owner, research their webpage to find out what their abuse reporting e-mail is (e.g. abuse@somecompany.com).
Be prepared with logs to corroborate your claims or else the other company will probably ignore your report. Some companies are better than other (e.g. ISPs) because they deal with this more often or are better Netizens.
3. I stand by what I said eariler, throw up firewall or router ACLs for the offending IP address(es). If this is for work, verufy that it's not a partner IP address.
4. As for legal recourse, unless you can prove $50,000 damage the FBI and local authorities will not assist you. Even if you can prove the monetary damage, their case logs are very long and will take some time to address (unless your name is Paris Hilton).
Let us know if you have more questions.
Use this:
http://www.ip2location.com/free.asp
Type in the IP address and see who the owner is.
2. When you know the netblock owner, research their webpage to find out what their abuse reporting e-mail is (e.g. abuse@somecompany.com).
Be prepared with logs to corroborate your claims or else the other company will probably ignore your report. Some companies are better than other (e.g. ISPs) because they deal with this more often or are better Netizens.
3. I stand by what I said eariler, throw up firewall or router ACLs for the offending IP address(es). If this is for work, verufy that it's not a partner IP address.
4. As for legal recourse, unless you can prove $50,000 damage the FBI and local authorities will not assist you. Even if you can prove the monetary damage, their case logs are very long and will take some time to address (unless your name is Paris Hilton).
Let us know if you have more questions.
ASKER
How would I install IDS? Would I need to put a box between my dsl modem and my firewall?
Do you have a hub or switch?
If you have a hub, simply place a monitoring port from your IDS to watch traffic.
If you have a switch, you need to mirror the port from your DSL modem and watch the traffic using an IDS.
If you have a hub, simply place a monitoring port from your IDS to watch traffic.
If you have a switch, you need to mirror the port from your DSL modem and watch the traffic using an IDS.