agcsupport
asked on
How can you track the path an external user took to enter your network?
Our IDS sensor detected a public IP address (61.177.*.*) that was attempting to hack several of our FTP servers last night. I added a policy to block and log any attempts from that IP on our firewall. That had no effect. On further investigation, I found that 3 of the servers the hacker was attempting to log into are not even mapped through on any ports through the firewall. We have 2 entry points to our network: Internet and Frame Relay to over 100 remote locations. I'm not sure how a public IP can be making through our private frame. I can ping and telnet to the attackers IP address but the path just goes straight out through our internet connection. What tool or method can I use to find the entry point? Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.speedguide.net/read_articles.php?id=1883 has a good guide on forward and reverse subnet masks.
Junipers I think can take either form of the subnet mask, not sure about others...
I should also clarify, the deny after an allow statement I made
Allow: 1.2.3.xxx
Deny: 1.2.3.4
Everything except 1.2.3.4 would be allowed in...
-rich
Junipers I think can take either form of the subnet mask, not sure about others...
I should also clarify, the deny after an allow statement I made
Allow: 1.2.3.xxx
Deny: 1.2.3.4
Everything except 1.2.3.4 would be allowed in...
-rich
Since they are using IP addressing, ensure that when you say to block all ports that you really do all, which means both TCP and UDP. FTP crackers usually spoof addresses, so follow any and all advise here for reading at the packet level. Even MS' NetMon utility can be useful in that arena. Do not permit the unsolicted use of ports.
Make sure firewall tells port. That could be one of the email ports, possibly unused. Put a personal firewall on the devices that are hit, to block both directions and report entry/use attempts.
http://www.iana.org/assignments/port-numbers
ftp-data 20/tcp File Transfer [Default Data]
ftp-data 20/udp File Transfer [Default Data]
ftp 21/tcp File Transfer [Control]
ftp 21/udp File Transfer [Control]
Make sure firewall tells port. That could be one of the email ports, possibly unused. Put a personal firewall on the devices that are hit, to block both directions and report entry/use attempts.
http://www.iana.org/assignments/port-numbers
ftp-data 20/tcp File Transfer [Default Data]
ftp-data 20/udp File Transfer [Default Data]
ftp 21/tcp File Transfer [Control]
ftp 21/udp File Transfer [Control]
What solved your issue may I ask?
-rich
-rich
from there you may be able to check xlate tables, etc, depending on how your network is set up. if all else fails, a monitor port and tcpdump/wireshark can be used on the router to again inspect the tcp/ip packets to determine the source router and follow it up the line. methods for tracking packets through routers is dependent on your hardware and software revision(s).