Solved

Firewall event log showing alarm events.

Posted on 2007-11-19
4
814 Views
Last Modified: 2008-02-01
I've never really paid much attention to the logs and alarm events on my firewall (save the scolding), but recently I cleared the alarm status to see when it might trigger again.  It has and these are the events shown:

2007-11-19 08:58:26  system   alert  00017   ip sweep, From 68.81.209.249 to xx.xx.xx.xxx, using protocol 1 (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-15 13:52:32  system   alert  00017   ip sweep, From 68.81.209.249 to xx.xx.xx.xxx, using protocol 1 (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-14 12:20:09  system   alert  00016   Port Scan Attempt, From 69.26.185.131/80 to xx.xx.xx.xxx/1848, using protocol TCP (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-14 12:18:56  system   alert  00016   Port Scan Attempt, From 69.26.185.131/80 to xx.xx.xx.xxx/1870, using protocol TCP (on zone Untrust,interface ethernet3) occurred 1 times
2007-11-14 10:18:43  system   alert  00017   ip sweep, From 68.81.209.249 to xx.xx.xx.xxx, using protocol 1 (on zone Untrust,interface ethernet3) occurred 1 times

The xx.xx.xx.xxx are external-facing IPs I have.  

Are these something to be concerned about?  I have not notice any abnormal activity or problems within my network, but just curoius what might be going on.
0
Comment
Question by:benhar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 13

Accepted Solution

by:
cshepfam earned 250 total points
ID: 20314503
the good thing is that you have a good firewall in place that picks up on whats going on.  that ip address is attempting to find out what open ports you have on your server in at attempt to hack into it.  he's scanning your particular server to find any vulnerabilities.


here's some things you can do to avoid any future attacks.


download Nessus.  Nessus is a free scanner that you will download and scan your own server for any unnecessary ports you have open, any vulnerabilites, etc.  its what hackers use to find out about your server.

http://searchwindowssecurity.techtarget.com/downloadPage/0,295339,sid45_gci1107786,00.html


next, take that IP address thats doing the scanning and trace it.  (Most of the time they are behind proxy's so this can get difficult) but theres times its some young kid using some new tool he discovered and is playing with it.  

you can start the trace here:

http://www.geobytes.com/IpLocator.htm?GetLocation


hope that helps
0
 
LVL 4

Author Comment

by:benhar
ID: 20315075
Thanks for the info.  Nessus found 1 hole in the server so I wiil have to take care of that.

The IP was traced to Toms River, NJ, but had no name, just an ISP.  What more could I do?


0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20320173
now that you have the ISP, find the way to contact them.  they usually have an abuse line.  report that IP to them and get the log of your firewall with that IP address and email that to them too.  They will most likely cancel that IP.


also, if your firewall allows it, block that specific IP address or create a Deny rule for that IP address.


your firewall is doing its job which is a good thing, i suggest you make it a habit to check your firewall daily.
0
 
LVL 4

Author Comment

by:benhar
ID: 20320243
Thanks for the help!
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question