How do I find a malicious attacker behind a pfSense router?


I have a pfSense router at an office I manage.  I'm not very familiar with it but I've gone through the options on it and read up about it a bit.  I'm having a problem that I'm not sure how to resolve.  The ISP has notified the office that there has been malicious requests our IP address directed at other servers.  The information they sent shows that the "PORT HIT" was "x.x.x.x:49039->x.x.x.x:23".  I found a packet capture on the pfSense and set it to listen on the LAN interface and put 49039 in for the port number.  I started the packet capture but I don't see it reporting anything nor do I know where to find the log or output of the packet capture.  It looks like this pfSense router is from a July version in 2015 so it looks like the firmware needs to be updated.  This router looks very powerful and I'd like to learn more about it.  I'm used to using Sonicwalls routers mainly so this is a little different.  Oh, and here's a real strange thing that's going on there.  I called the ISP and told them that I wasn't sure where the IP address that is reporting the malicious activity is at.  The IP on the WAN side of the router ends in 69 and the reporting IP is 71.  They said that they were not able to see any devices ARPing to that IP address at that moment.

If I check the WAN IP on one of the networks in the office (there are 7 suites--so there are at least 8 VLANs), it ends in 71.  I've scanned all 8 of the computers on that reporting network but nothing came up as infected.  On the pfSense router, under Virtual IP Addresses, there are three in there and one is the IP that ends in 71.  So, I know where that IP address is setup at.  I just don't know how to track down the offender on the network.  My main question is, how do I setup monitoring on the pfSense to be able to track down which device is causing trouble?  Thanks in advance for your help!
Matt KendallTech / Business owner operatorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
the source port always is more or less random so has no sense... checking for destination port 23 makes more sense.
23 = Telnet.   Telnet is not normally used nowadays, as it exposes passwords.

Some of the nat to outside rules/routes need to have set .71 as Source NAT.  (That the ISP doesn;t see it issuing ARP request could be if it setup as an alias or secondary address in teh WAN interface.

One of the sources that can cause trouble should be in the list of source addresses that is SNATed to .71.
OTOH you can easli modify your firewall to block everything Except for the ports you want to allow to the outside.
(Not just block Out -> inside, but also block Inside -> Outside). That would eliminate a lot of trouble.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Matt KendallTech / Business owner operatorAuthor Commented:
Hi Noci,

Thanks for your comment.  That's a great idea to block port 23.  I have done that.  But that still leaves a device trying to cause trouble on the network.  I would really like to know who or what it is.  How do I track down who on the network is causing this trouble?  This pfSense router seems very powerful and I must be missing something on it.  Thanks again!
nociSoftware EngineerCommented:
If you make the blocking of port 23 log the packets (or info about the drop) when the block rule is hit, it should tell you the address.
In stead of just blocking you could also to opt for still allowing the port but log it anyway... that won't warn anywone except you should get a source address.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.