Andrej Pirman
asked on
How to log and secure ClearOS firewall?
Hi,
I am looking for ideas on how to have better overview on network traffic and what users are doing in client's network.
It is Windows Server 2003 DC, with 80 clients and ClearOS Linux firewall/proxy in front.
ClearOS has PPTP VPN enabled for 5 users for remote access.
Exchange does NOT have OWA nor HTTPS enabled, so Server is not accessible from outside directly.
The PROBLEM is that some suspicious things are going on there, some WiFi access was detected several times after working hours (from company parking place), some VPN access was detected from different ISP at the same time and with same username, also some attempts to guess Exchange password from user's computer A, guessing password for User B was detected. On previous Linux firewall backdoors were found, so I setup new one out from scratch.
So, all in all, such attempts WERE DETECTED (and blocked), but what about those UNDETECTED attempts? What else might be going on there?
We suspect that the management, which has VPN access, is trying to sniff traffic and confidential documents of each other, maybe also intercepting MAIL traffic at some point. Maybe some malicious code is installed somewhere on LAN, which connects to outside world.
What I want to do is to install SOMETHING on Firewall (ClearOS 5) to analyze all traffic. Maybe to catch (and see) what resources are accessed from outside, and what is being sent OUT.
Any idea, how to approach?
Maybe some applications on Server 2003, or on Firewall?
For example...What is this traffic on Server?
Server is IP 192.168.0.45, but what are those weird ports on both sides?
I am looking for ideas on how to have better overview on network traffic and what users are doing in client's network.
It is Windows Server 2003 DC, with 80 clients and ClearOS Linux firewall/proxy in front.
ClearOS has PPTP VPN enabled for 5 users for remote access.
Exchange does NOT have OWA nor HTTPS enabled, so Server is not accessible from outside directly.
The PROBLEM is that some suspicious things are going on there, some WiFi access was detected several times after working hours (from company parking place), some VPN access was detected from different ISP at the same time and with same username, also some attempts to guess Exchange password from user's computer A, guessing password for User B was detected. On previous Linux firewall backdoors were found, so I setup new one out from scratch.
So, all in all, such attempts WERE DETECTED (and blocked), but what about those UNDETECTED attempts? What else might be going on there?
We suspect that the management, which has VPN access, is trying to sniff traffic and confidential documents of each other, maybe also intercepting MAIL traffic at some point. Maybe some malicious code is installed somewhere on LAN, which connects to outside world.
What I want to do is to install SOMETHING on Firewall (ClearOS 5) to analyze all traffic. Maybe to catch (and see) what resources are accessed from outside, and what is being sent OUT.
Any idea, how to approach?
Maybe some applications on Server 2003, or on Firewall?
For example...What is this traffic on Server?
Server is IP 192.168.0.45, but what are those weird ports on both sides?
TCP 192.168.0.45:1028 192.168.0.52:3186 ESTABLISHED
TCP 192.168.0.45:1028 192.168.0.55:1234 ESTABLISHED
TCP 192.168.0.45:1028 192.168.0.61:1125 ESTABLISHED
TCP 192.168.0.45:1028 192.168.0.61:3736 ESTABLISHED
TCP 192.168.0.45:1028 192.168.0.65:49898 ESTABLISHED
TCP 192.168.0.45:1028 192.168.0.88:1076 ESTABLISHED
TCP 192.168.0.45:1028 192.168.0.120:1119 ESTABLISHED
TCP 192.168.0.45:1028 192.168.0.131:1140 ESTABLISHED
TCP 192.168.0.45:1028 192.168.0.195:1287 ESTABLISHED
TCP 192.168.0.45:1155 192.168.0.45:31086 ESTABLISHED
TCP 192.168.0.45:1174 192.168.0.45:1028 ESTABLISHED
TCP 192.168.0.45:1348 192.168.0.45:1028 ESTABLISHED
TCP 192.168.0.45:1656 192.168.0.45:1028 ESTABLISHED
TCP 192.168.0.45:3268 192.168.0.45:7381 ESTABLISHED
TCP 192.168.0.45:3268 192.168.0.45:7824 ESTABLISHED
TCP 192.168.0.45:3268 192.168.0.45:46710 ESTABLISHED
TCP 192.168.0.45:3268 192.168.0.45:46713 ESTABLISHED
TCP 192.168.0.45:3268 192.168.0.45:46714 ESTABLISHED
TCP 192.168.0.45:3389 192.168.0.210:59156 ESTABLISHED
TCP 192.168.0.45:7381 192.168.0.45:3268 ESTABLISHED
TCP 192.168.0.45:7824 192.168.0.45:3268 ESTABLISHED
TCP 192.168.0.45:25449 192.168.0.45:389 ESTABLISHED
TCP 192.168.0.45:28396 192.168.0.45:389 ESTABLISHED
TCP 192.168.0.45:30748 192.168.0.45:389 ESTABLISHED
TCP 192.168.0.45:30815 192.168.0.45:389 ESTABLISHED
TCP 192.168.0.45:31085 192.168.0.45:135 ESTABLISHED
TCP 192.168.0.45:31086 192.168.0.45:1155 ESTABLISHED
TCP 192.168.0.45:31129 192.168.0.137:3260 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.3:3819 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.3:3824 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.4:1239 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.8:55886 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.11:4642 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.13:1295 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.15:59084 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.20:4225 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.21:1125 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.23:2337 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.25:1141 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.41:1152 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.52:1469 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.52:3188 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.55:1863 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.61:1159 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.88:1273 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.120:1753 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.131:1144 ESTABLISHED
TCP 192.168.0.45:32550 192.168.0.195:1296 ESTABLISHED
TCP 192.168.0.45:32648 192.168.0.45:691 ESTABLISHED
TCP 192.168.0.45:32657 192.168.0.45:691 ESTABLISHED
TCP 192.168.0.45:32678 192.168.0.45:691 ESTABLISHED
TCP 192.168.0.45:46710 192.168.0.45:3268 ESTABLISHED
TCP 192.168.0.45:46713 192.168.0.45:3268 ESTABLISHED
ASKER
Hi Noci,
thanx for your add-on to this question, but I am afraid I need some more detailed suggestion on approach principle. Something like a detective application on Firewall and/or on Server, to examine what users are doing, extract suspicious behavior etc.
thanx for your add-on to this question, but I am afraid I need some more detailed suggestion on approach principle. Something like a detective application on Firewall and/or on Server, to examine what users are doing, extract suspicious behavior etc.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I abandoned question due to lack of time.
135 = MS-RPC
691 = MS-EChange-routing engine
3268 = MS-Global Catalog server
32550 = ?? (Game Dead Island).
1028 = MS-RPC data exchange.