Newbie Firewall Question 1

[Splixx]

Hi,
My company recently upgraded from a simple Lynksys router to a slightly less simple Netgear Router/Firewall/VPN Appliance.
Works nice, but the device's security logs seems, at least to me, to be taking alot of connection hits.
Can anyone glance over this cut and paste of the logs to tell me if this is an unusual circumstance?

**** Log Edited for Security ****
**** This is only a 5 hour time period ****


Mon, 03/01/2004 00:01:31 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1633, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 00:10:05 - TCP connection dropped - Source:172.162.19.74, 3273, WAN - Destination:24.121.xxx.xxx, 80, LAN - 'WEB'

Mon, 03/01/2004 00:11:47 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destinationestination:24.121.xxx.xxx, 1974, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 00:21:59 - UDP packet dropped - Source:209.98.203.61, 137, WAN - Destination:24.121.xxx.xxx, 137, LAN - 'Suspicious UDP Data'

Mon, 03/01/2004 00:22:17 - TCP connection dropped - Source:220.255.48.56, 2811, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 00:25:01 - TCP connection dropped - Source:24.121.44.182, 4656, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 00:26:55 - TCP connection dropped - Source:200.223.240.122, 4236, WAN - Destination:24.121.xxx.xxx, 1433, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 00:31:45 - UDP packet dropped - Source:24.80.169.130, 1088, WAN - Destination:24.121.xxx.xxx, 137, LAN - 'Suspicious UDP Data'

Mon, 03/01/2004 00:34:31 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1717, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 00:39:53 - TCP connection dropped - Source:220.85.119.67, 3287, WAN - Destination:24.121.xxx.xxx, 901, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 00:47:09 - TCP connection dropped - Source:221.197.153.89, 3331, WAN - Destination:24.121.xxx.xxx, 80, LAN - 'WEB'

Mon, 03/01/2004 00:49:25 - TCP connection dropped - Source:222.100.57.163, 2490, WAN - Destination:24.121.xxx.xxx, 901, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 01:01:11 - TCP connection dropped - Source:24.121.46.234, 4047, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 01:02:43 - TCP connection dropped - Source:24.120.206.28, 1252, WAN - Destination:24.121.xxx.xxx, 8866, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 01:10:33 - TCP connection dropped - Source:218.47.19.10, 3526, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 01:30:11 - UDP packet dropped - Source:24.121.40.226, 1025, WAN - Destination:24.121.xxx.xxx, 137, LAN - 'Suspicious UDP Data'

Mon, 03/01/2004 01:33:39 - TCP connection dropped - Source:24.121.61.224, 4722, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 01:51:45 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1932, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 01:57:13 - TCP connection dropped - Source:219.162.216.125, 3331, WAN - Destination:24.121.xxx.xxx, 80, LAN - 'WEB'

Mon, 03/01/2004 02:01:35 - TCP connection dropped - Source:211.202.209.234, 4677, WAN - Destination:24.121.xxx.xxx, 901, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 02:28:18 - TCP connection dropped - Source:24.214.100.201, 63715, WAN - Destination:24.121.xxx.xxx, 901, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 02:32:20 - TCP connection dropped - Source:24.121.61.224, 4535, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 02:38:32 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1457, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 02:46:48 - UDP packet dropped - Source:65.59.64.107, 7634, WAN - Destination:24.121.xxx.xxx, 1026, LAN - 'Suspicious UDP Data'

Mon, 03/01/2004 02:47:48 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1630, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 02:55:34 - UDP packet dropped - Source:24.164.36.33, 8228, WAN - Destination:24.121.xxx.xxx, 12596, LAN - 'Suspicious UDP Data'

Mon, 03/01/2004 02:55:48 - TCP connection dropped - Source:65.105.136.188, 3430, WAN - Destination:24.121.xxx.xxx, 3389, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 03:07:20 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1143, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 03:07:38 - TCP connection dropped - Source:193.6.48.64, 1855, WAN - Destination:24.121.xxx.xxx, 3127, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 03:16:02 - TCP connection dropped - Source:200.117.214.80, 61898, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 03:16:40 - TCP connection dropped - Source:24.107.199.171, 220, WAN - Destination:24.121.xxx.xxx, 6129, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 03:28:22 - TCP connection dropped - Source:220.220.145.44, 2628, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 03:35:12 - TCP connection dropped - Source:217.207.184.195, 58565, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 03:35:24 - TCP connection dropped - Source:24.108.76.187, 3148, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 03:44:16 - TCP connection dropped - Source:24.68.215.151, 2196, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 03:44:16 - TCP connection dropped - Source:24.68.215.151, 2198, WAN - Destination:24.121.xxx.xxx, 139, LAN - 'NetBIOS'

Mon, 03/01/2004 03:44:26 - TCP connection dropped - Source:24.68.215.151, 2198, WAN - Destination:24.121.xxx.xxx, 139, LAN - 'Possible Port Scan'

Mon, 03/01/2004 03:45:30 - TCP connection dropped - Source:24.88.180.78, 3129, WAN - Destination:24.121.xxx.xxx, 27374, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 03:55:46 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1440, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 03:58:56 - TCP connection dropped - Source:141.158.29.183, 3409, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 04:18:28 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1415, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 04:32:50 - TCP connection dropped - Source:80.134.123.62, 2432, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

Mon, 03/01/2004 04:33:34 - TCP connection dropped - Source:195.62.141.6, 2577, WAN - Destination:24.121.xxx.xxx, 3127, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 04:38:04 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1929, LAN - 'Suspicious TCP Data'

Mon, 03/01/2004 04:40:22 - UDP packet dropped - Source:24.164.33.248, 13796, WAN - Destination:24.121.xxx.xxx, 1026, LAN - 'Suspicious UDP Data'

Mon, 03/01/2004 04:42:08 - TCP connection dropped - Source:212.244.70.21, 1669, WAN - Destination:24.121.xxx.xxx, 21, LAN - 'FTP-ctrl'

Mon, 03/01/2004 04:53:00 - TCP connection dropped - Source:65.65.97.41, 2863, WAN - Destination:24.121.xxx.xxx, 139, LAN - 'NetBIOS'

Mon, 03/01/2004 05:00:28 - TCP connection dropped - Source:24.121.61.166, 1250, WAN - Destination:24.121.xxx.xxx, 445, LAN - 'SMB'

 

[AlexIT]

It looks like normal broadband activity, someone asks the router for its NETBIOS name, a machine on the same address range asks to manage your router (someone else has wrong netmask) etc.

In some of these cases is a machine on the LAN is getting info from a site and then ends that request. In this case there is a packet from the site to your LAN that gets denied. Looks like these are examples:

Mon, 03/01/2004 04:18:28 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1415, LAN - 'Suspicious TCP Data'
Mon, 03/01/2004 04:38:04 - TCP connection dropped - Source:64.7.205.102, 80, WAN - Destination:24.121.xxx.xxx, 1929, LAN - 'Suspicious TCP Data'
Mon, 03/01/2004 04:42:08 - TCP connection dropped - Source:212.244.70.21, 1669, WAN - Destination:24.121.xxx.xxx, 21, LAN - 'FTP-ctrl'

This is pretty tame for five hours (I won't post the worst Velociraptor log I've ever seen...couple MB in same time range.)

Alex

 

[Splixx]

Thanks for the quick reply!
The ended sessions thing makes sense.

Is there anything I should be watching for specificly? Certain destination ports?

I wasn't too scared about the logs, but we have had the router for about 3 weeks and it was a nagging concern.

 

[AlexIT]

Successful connections are not shown in the log because the bad guy didn't get caught. You will not know when someone/thing made it through.

However, they mostly try simple/common connections first, so get a list of known hack ports (google or visit blackice site, they have a nice page of them.) Watch for multiple attempts to these ports from one IP address (or subnet range.) If you start seeing these, check it out, you may want to add this IP to "deny traffic to/from" in the Netgear config ASAP. Look for something like this:

Mon, 03/01/2004 02:46:48 - UDP packet dropped - Source:65.59.64.107,XXX, WAN - Destination:24.121.xxx.xxx, 21, LAN - 'Suspicious TCP Data'
Mon, 03/01/2004 02:46:48 - UDP packet dropped - Source:65.59.64.107,XXX, WAN - Destination:24.121.xxx.xxx, 23, LAN - 'Suspicious TCP Data'
Mon, 03/01/2004 02:46:48 - UDP packet dropped - Source:65.59.64.107,XXX, WAN - Destination:24.121.xxx.xxx, 25, LAN - 'Suspicious TCP Data'
Mon, 03/01/2004 02:46:48 - UDP packet dropped - Source:65.59.64.107,XXX, WAN - Destination:24.121.xxx.xxx, 107, LAN - 'Suspicious TCP Data'

This would make me want to RARP who owns 65.59.64.107 and see if this is something I want to block.

Also, make complete regular backups and DO NOT overwrite all of these each week, save an offline backup from Thursdays for a month or so. You may not find out about a hack for a week and having a known clean backup can save your 'ss.

Alex

 

[Zilantyas]

There is a lot of dropped connections and suspicious activity going on. It may not be a concern but I would be alarmed! You may want to invest in a network sniffer and see what's going on.

Good luck!

Zilantyas Technology
Professional Information Technology Solutions

http://www.zilantyas.com

 

[Splixx]

When you say a sniffer, do you mean a hardware or software sniffer?
Also, my understanding was that a sniffer only works for the individual network segment. I ensured that all the hubs where I work were replaces with switches to maxamize network thouroughput.
So If I had a software sniffer program on my office computer I wouldn't be able to sniff all the networks traffic, would I?

 

[AlexIT]

Zil,

The posted log is for five hours, there are some to think about, but not many.

Spl,
A traffic sniffer would be placed between the firewall and outside world and used to check WAN traffic. I usually grab a hub, laptop, and then run Snort or such.

Alex

 

[chiph]

I'm surprised to see so much SMB traffic there -- I thought most ISPs block SMB from their network to prevent people from snooping around on their neighbor's PCs?

Chip H.


If you want to get the best response to a question, please check out FAQ222-2244 first

 

[jutetrea]

hey all,

found the thread interesting and was hoping it was still alive.

newbie firewall user here as well, and was wondering if there was some sort of guide out there to figure out what a lot of the logging means? for instance:

2004-03-28-21:07:59 IP discard from 68.162.xxx.xxx port 1482 to 68.162.xxx.xxx port 135 TCP SYN (default)
IP entry duplicated 1 times
2004-03-28-21:06:41 IP discard from 68.162.xxx.xxx port 3159 to 68.162.xxx.xxx port 445 TCP SYN (default)
2004-03-28-21:05:33 IP discard from 216.45.xxx.xxx port 80 to 68.162.xxx.xxx port 29178 TCP RST (default)
IP entry duplicated 1 times
2004-03-28-21:02:48 IP ICMP type (3) code (13) received from 68.162.xxx.xxx
2004-03-28-21:02:44 IP discard from 68.162.xxx.xxx port 3442 to 68.162.xxx.xxx port 445 TCP RST (default)

What do TCP SYN mean? TCP I get, but syn?
How about ICMP? or RST? ICMP is internet control messaging protocol... and that means? actually, better yet, I'll do some research and hopefully find out for myself.

It would be nice if there was a FAQ or something out there with listing of firewall responses to attempts just to make deciphering easier.

I've got a watchguard soho behind a wide open verizon router.

thanks for any info,
JT

 

[Splixx]

What do TCP SYN mean?
* Syn is part of the TCP Syn/Ack handshake. I remember learning about it in school. The real important part is that someone can "Syn flood" your server in a Denial of Service attack. That is probably why its logged.

How about ICMP?
* ICMP is basicly ping and traceroute. They are used for troubleshooting. Some firewalls block ICMP because hackers can use the protocalls to locate your network and find holes. Also ICMP packets can be tampered with my hackers so that they can skirt past your normal security.

or RST?

Not sure exactly what RST was. Back when I was new to tech stuff i used to visit this site alot -

http://whatis.techtarget.com/

Use it for all the weird acronymns you hear. Good luck and I hope you can learn, well.

 

[jutetrea]

Thanks both for the info and the link. The link looks promising for quick answers on definitions.

One thing I wasn't able to figure out when looking it up...

ICMP (3) code (13)
From what I gathered from a quick look was that its essentially a message being sent that something i sent out was rejected due to administrative restrictions.

I don't know if that means I have a trojan on the network spitting stuff out, but I have no idea on how to track it or even to correlate it with items going out.

well, nix that, i could probably just start tracking all outbound traffic and try to correlate and/or shut down outgoing services as well.

Anyway, does anyone know a way to shut down receiving icmp messages if the router is a dinky watchguard soho that has no options for it?

thanks again
jt

 

[rvhalejr]

Morph from "Newbie" to "Expert" by submitting your log
files to Dshield in tag delimited format (which you can
cut and paste in Excel for analysis).

100 port probes per day is the average on my netgear
router (looks like yours), its good to review the probes
from various angles (souce port, target port, etc.).

Best practice is to identify the most common type of
port probe (three or more) and then determine if your
security setup is hardened enough.

Your post came to my attention beacuse attacks on
port 12596 are gaining some momentum:

http://isc.incidents.org/port_details.php?port=12596

The hardest thing about submitting the netgear script
is formatting it first, I have a Bash script I run
under cygwin on a windows 2000 machine. Any scpriting
language should work (Perl, Python, etc.).

#!/usr/bin/bash
#
# Script : netgear-to-dshield
# Purpose: Windows (and Linux) DShield formatting script for
# Netgear Router log files.
#
# Run this script in a Cygwin[1] window where the Netgear[2]
# router logfile resides. See "User Setup"[3] for more details.
#
# Useage:
# - Rename the netgear router log file emailed to you, Example:
# NetGearLog-010104.txt (for a log file produced on 1/1/04)
#
# - Run this script in a cygwin window, Example:
#
# $ netgear-to-dshield NetGearLog-010104.txt<cr>
#
# - Open the output file dshield.txt in notepad (to preserve format
# during cut-and-paste under windows)
#
# - Sellect all from dshield.txt file (copy from notepad with mouse)
# and paste submission via web browser at
#
#

http://www.dshield.org/report.php

#
if [ ! -f "$1" ]
then
echo "Useage: $ netgear-to-dshield NetGearLog.txt <cr>";
exit 1 # script stops here
echo -n "This should never print out !!! "
fi
#
mv dshield.txt dshield.old
fgrep "Susp" $1 | gawk '{ printf("%s ",$2)
printf("%s ",$3)
printf("%s ","-08:00")
printf("%c%d","\011","YOUR_ID_NUMBER")
printf("%c%d","\011","1")
printf("%c%s","\011",$9)
printf("%c%d","\011",$10)
printf("%c%s","\011",$13)
printf("%c%d","\011",$14)
printf("%c%s","\011","TCP")
printf("\n") }' | sed 's/Source:/ /' | sed 's/Destination:/ /' | sed 's/,/ /g' | sed 's*/*-*g' | sort -k 9 >> dshield.txt
#
# The tab delimited format is hard to read in windowz textedit but can
# be easily examined and manipulated by cutting and pasting into excel.
#
# Occasionally it is a good idea to cheack a record or to in the test
# parser at

http://www.dshield.org/testparser.php

#
# [1] (Cygwin available for free at at

http://sources.redhat.com/cygwin/)

# Copy this script to a file called netgear-to-dshield , Place Netgear
# router log in the same directory in a file called NetGearLog-File.txt
#
# [2] Netgear Business VPN/NAT/SPI FVS318 (8Port $150 New) or
# Netgear Personnal NAT/SPI RP614NAR ($25 on ebay refurbished) router
#
# [3] User Setup:
# "-8:00" should be changed if you are not on Pacific Coast TIme
# "70784385" should be changed to your Dshield user id number
#
# ################################################################
echo "Check dshield.txt for Output";
cat dshield.txt;
exit 0

 

[rvhalejr]

Step II - Morphing from "Newbie" to "Expert".

"Anyway, does anyone know a way to shut down receiving
icmp messages if the router is a dinky watchguard soho
that has no options for it?"

Never dis-respect a soho NAT/SPI router, Cisco or
Super Metropolitan Area Router [SuperMAN(c)] that
uses a Linux Super Cluster for the heavy lifting.

They all have thier place in the scheme of things.

Besides the NETGEAR (Commodity Asic) hardware router
its prudent to use a software router like the Sygate
Personnal Firewall.

This software asks permission for anything trying
to access a remote node.

Other Firewalls were evaluated and were found to
create large headaches.

CPU Useage (Task Manager) and Net.medic are used
to display health and status, egress and ingress
(on all 8 virtual terminals).

Strangely, the last other step that needs to be
taken has been around for at least 20years.

Your System Admin account (elevated priv) should
not be used for email and web browsing, only
installing software,setting up accounts, reviewing
security logs and such.

Your User Accounts can be used for email and web
browsing, but NOT for installing software and/or
editing the registry or system files.

Typical Security mitigation such as renaming
the Admin accounts, using passwords 16chars long
min and lockout interval after 8 login attempts
should be in force.

Unfortunately, much Windoz "software" is written
with the need to be run with elevated privs. This
type of application can be run from a User account
by setting the acl file and object hierarchies
correctly. But be Absolutely Certain that you can
*TRUST* the application because it will be running
with Admin Priv in an unsecure (user) environment.

If you have everything else up (anti-virus, system
backups, etc.) in place your network will be almost
impenetrable and if damage is done it will most
most likely be at the user level and much eaiser
to recover from.