Link to home
Create AccountLog in
Avatar of Andrej Pirman
Andrej PirmanFlag for Slovenia

asked on

How to log and secure ClearOS firewall?

Hi,

I am looking for ideas on how to have better overview on network traffic and what users are doing in client's network.

It is Windows Server 2003 DC, with 80 clients and ClearOS Linux firewall/proxy in front.
ClearOS has PPTP VPN enabled for 5 users for remote access.
Exchange does NOT have OWA nor HTTPS enabled, so Server is not accessible from outside directly.

The PROBLEM is that some suspicious things are going on there, some WiFi access was detected several times after working hours (from company parking place), some VPN access was detected from different ISP at the same time and with same username, also some attempts to guess Exchange password from user's computer A, guessing password for User B was detected. On previous Linux firewall backdoors were found, so I setup new one out from scratch.  
So, all in all, such attempts WERE DETECTED (and blocked), but what about those UNDETECTED attempts? What else might be going on there?

We suspect that the management, which has VPN access, is trying to sniff traffic and confidential documents of each other, maybe also intercepting MAIL traffic at some point. Maybe some malicious code is installed somewhere on LAN, which connects to outside world.

What I want to do is to install SOMETHING on Firewall (ClearOS 5) to analyze all traffic. Maybe to catch (and see) what resources are accessed from outside, and what is being sent OUT.
Any idea, how to approach?
Maybe some applications on Server 2003, or on Firewall?

For example...What is this traffic on Server?
Server is IP 192.168.0.45, but what are those weird ports on both sides?
  TCP    192.168.0.45:1028      192.168.0.52:3186      ESTABLISHED
  TCP    192.168.0.45:1028      192.168.0.55:1234      ESTABLISHED
  TCP    192.168.0.45:1028      192.168.0.61:1125      ESTABLISHED
  TCP    192.168.0.45:1028      192.168.0.61:3736      ESTABLISHED
  TCP    192.168.0.45:1028      192.168.0.65:49898     ESTABLISHED
  TCP    192.168.0.45:1028      192.168.0.88:1076      ESTABLISHED
  TCP    192.168.0.45:1028      192.168.0.120:1119     ESTABLISHED
  TCP    192.168.0.45:1028      192.168.0.131:1140     ESTABLISHED
  TCP    192.168.0.45:1028      192.168.0.195:1287     ESTABLISHED
  TCP    192.168.0.45:1155      192.168.0.45:31086     ESTABLISHED
  TCP    192.168.0.45:1174      192.168.0.45:1028      ESTABLISHED
  TCP    192.168.0.45:1348      192.168.0.45:1028      ESTABLISHED
  TCP    192.168.0.45:1656      192.168.0.45:1028      ESTABLISHED
  TCP    192.168.0.45:3268      192.168.0.45:7381      ESTABLISHED
  TCP    192.168.0.45:3268      192.168.0.45:7824      ESTABLISHED
  TCP    192.168.0.45:3268      192.168.0.45:46710     ESTABLISHED
  TCP    192.168.0.45:3268      192.168.0.45:46713     ESTABLISHED
  TCP    192.168.0.45:3268      192.168.0.45:46714     ESTABLISHED
  TCP    192.168.0.45:3389      192.168.0.210:59156    ESTABLISHED
  TCP    192.168.0.45:7381      192.168.0.45:3268      ESTABLISHED
  TCP    192.168.0.45:7824      192.168.0.45:3268      ESTABLISHED
  TCP    192.168.0.45:25449     192.168.0.45:389       ESTABLISHED
  TCP    192.168.0.45:28396     192.168.0.45:389       ESTABLISHED
  TCP    192.168.0.45:30748     192.168.0.45:389       ESTABLISHED
  TCP    192.168.0.45:30815     192.168.0.45:389       ESTABLISHED
  TCP    192.168.0.45:31085     192.168.0.45:135       ESTABLISHED
  TCP    192.168.0.45:31086     192.168.0.45:1155      ESTABLISHED
  TCP    192.168.0.45:31129     192.168.0.137:3260     ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.3:3819       ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.3:3824       ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.4:1239       ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.8:55886      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.11:4642      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.13:1295      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.15:59084     ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.20:4225      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.21:1125      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.23:2337      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.25:1141      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.41:1152      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.52:1469      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.52:3188      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.55:1863      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.61:1159      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.88:1273      ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.120:1753     ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.131:1144     ESTABLISHED
  TCP    192.168.0.45:32550     192.168.0.195:1296     ESTABLISHED
  TCP    192.168.0.45:32648     192.168.0.45:691       ESTABLISHED
  TCP    192.168.0.45:32657     192.168.0.45:691       ESTABLISHED
  TCP    192.168.0.45:32678     192.168.0.45:691       ESTABLISHED
  TCP    192.168.0.45:46710     192.168.0.45:3268      ESTABLISHED
  TCP    192.168.0.45:46713     192.168.0.45:3268      ESTABLISHED

Open in new window

Avatar of noci
noci

389 = LDAP
135 = MS-RPC
691 = MS-EChange-routing engine
3268 = MS-Global Catalog server
32550 = ?? (Game Dead Island).

1028 = MS-RPC data exchange.
Avatar of Andrej Pirman

ASKER

Hi Noci,
thanx for your add-on to this question, but I am afraid I need some more detailed suggestion on approach principle. Something like a detective application on Firewall and/or on Server, to examine what users are doing, extract suspicious behavior etc.
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I abandoned question due to lack of time.