Security Logs

Posted on 2005-03-07
Medium Priority
Last Modified: 2010-04-11
I have been looking though the logs generated by my access-lists to see what traffic has been blocked and I have noticed a few things that concern me and would like some suggestiosn on what I shoudl do about it.  I consistently see the same IP Addresses trying ot conenct to port 80, 22 and 42 on a few of my public devices.  What, if anything,  can/should I do about this?  I am lookign for additoina security measures as well as legal recourses.
Question by:rshooper76
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 11

Expert Comment

ID: 13479920
Post your log here.

Accepted Solution

tmehmet earned 2000 total points
ID: 13480110
I am always a little cautious about such things. The internet is a very public place with losts of junk traffic and machines that are hacked/breached and spreading virus's which blindly scan anything and everything. Its not unusual to see this kind of stuff.

In most cases, unless you are a high profile company or orgnsiation, these things tend to be some other persons machine infected with a virus or taken over to scan for other vulnerable devices. You should give the owners a chance to look into it first so to that end, lookup who has been allocated that IP and if they have contacts listed, I suggest you raise it with them directly, failing that, send a portion of your logs and complan to their ISP, you are blocking the traffic so yu are not in any danger while you wait for a response.

If you suspect this is a genuine attack, you'll need more info.

You need to work out if this is a targetted attack or if its just part of the general noise that is constantly out there. to that end I suggest you install an IDS (eg. Snort  is free) and monitor what it is they are trying to do on those ports and keep an eye on it. If you decide to pursue it legally, you will need detailed logs. Your access list logs wont help much in understanding what they are doing or if the source has been spoofed so a more detailed log is required. You should also consider enabling logging on your target devices (if they exist) and of course, you need to make sure the source is not being spoofed.


Expert Comment

ID: 13482932
Two things you learn in security:
Never assume something is a hacking attempt.
Never assume something is not a hacking attempt.

This sounds stupid but in your case this could be legit attempts for people to find web servers for instance. SSH has had vulnerabilites in the past, especially on routers but for the most part that's an old one to look for. The one that throws me though is 42, there is an active vulnerability for WINS (late last year at least) so this one does look suspicious. There could be an off chance that if it's the same host, it's infected with a worm that actively searches for open ports to propagate itself.

Here's some info on the WINS exploit:

The next step for you would be to monitor the exact times these are happening, locate the admin and tech contact of the IP block, and drop them an email or phone call if you can. Good luck, sometimes you never get further than that. If you do, and have an admin that will help you, you might be able to track it from there to a specific user. Again, this doesn't mean they were the attacker, it could be they are already hacked and were used as a relay.

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Expert Comment

ID: 13482954
I'll second the advice on an IDS setup. In addition to giving you more detailed data, they will frequently give you a correlated event (host is actively searching a known exploit, host is actively infected, your being scanned or attacked on IP based attacks, etc.)

If you go to the next guy down the line and have a whole lot of information compared to a few access-list matches, it will carry more weight.

LVL 12

Expert Comment

ID: 13488052
Is this for work?
If so, the answer depends on your corporate incident response policy/plan.

Mine states that I have authority at all times to defend our network.  With evidence as you've mentioned, my policy allows me to place firewall rules on all of our firewalls worldwide to block the subnet of the intruder, open up a incident ticket, and then followup with the upstream ISP of the attacker until I settle the matter with the ISP abuse team (e.g. they promise to deactive the user, contact the user, escalate matter, and send us e-mail regarding the case).

If not and for home, I throw firewall blocks up.  I rather be proactive in stopping any network attempts and monitoring.

For business critical links that cannot support downtime, our policies are a little different, but IDS/IPS and firewall monitoring is at the top of the list for building support to enacting the firewall and ingress router ACLs.

Expert Comment

ID: 13534103
the safest bet if this is a constatnt thing is your ISP's network is configured badly and they have some sort of user validity check in place and it is misbehaving... i should know... i fiex quite a few of this scripts...
do a whois on the ip and you will discover that it is your ISPs or their partners. the ports 80, 22, 42 are most likely used for this reason.
LVL 12

Expert Comment

ID: 13535768
1.  I would lookup the registered owner (netblock owner) of the IP address that appears to be attacking you.
Use this:

Type in the IP address and see who the owner is.

2. When you know the netblock owner, research their webpage to find out what their abuse reporting e-mail is (e.g. abuse@somecompany.com).

Be prepared with logs to corroborate your claims or else the other company will probably ignore your report. Some companies are better than other (e.g. ISPs) because they deal with this more often or are better Netizens.

3. I stand by what I said eariler, throw up firewall or router ACLs for the offending IP address(es). If this is for work, verufy that it's not a partner IP address.

4. As for legal recourse, unless you can prove $50,000 damage the FBI and local authorities will not assist you.  Even if you can prove the monetary damage, their case logs are very long and will take some time to address (unless your name is Paris Hilton).

Let us know if you have more questions.

Author Comment

ID: 13537078
How would I install IDS?  Would I need to put a box between my dsl modem and my firewall?
LVL 12

Expert Comment

ID: 13537492
Do you have a hub or switch?
If you have a hub, simply place a monitoring port from your IDS to watch traffic.
If you have a switch, you need to mirror the port from your DSL modem and watch the traffic using an IDS.


Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question