Lots of activity on my routers log

T

trick0502

Supreme [H]ardness
Joined
Apr 17, 2006
Messages
5,563
is this normal? my whs gets hits all day long!! is this something i should be worried about?

log file from my router:
[LAN access from remote] from 119.192.182.24:8527 to 10.0.0.3:443, Thursday, September 06,2012 18:56:34
[LAN access from remote] from 119.192.182.24:8526 to 10.0.0.3:443, Thursday, September 06,2012 18:56:34
[LAN access from remote] from 119.192.182.24:8522 to 10.0.0.3:80, Thursday, September 06,2012 18:56:34
[LAN access from remote] from 119.192.182.24:8521 to 10.0.0.3:80, Thursday, September 06,2012 18:56:34
[LAN access from remote] from 119.192.182.24:8501 to 10.0.0.3:443, Thursday, September 06,2012 18:56:33
[LAN access from remote] from 119.192.182.24:8499 to 10.0.0.3:443, Thursday, September 06,2012 18:56:33
[LAN access from remote] from 119.192.182.24:8490 to 10.0.0.3:80, Thursday, September 06,2012 18:56:32
[LAN access from remote] from 119.192.182.24:8486 to 10.0.0.3:80, Thursday, September 06,2012 18:56:32
[LAN access from remote] from 124.166.241.35:29711 to 10.0.0.3:21, Thursday, September 06,2012 18:44:22
[LAN access from remote] from 124.166.241.35:29218 to 10.0.0.3:3389, Thursday, September 06,2012 18:44:21
[LAN access from remote] from 119.192.182.24:6176 to 10.0.0.3:443, Thursday, September 06,2012 18:41:51
[LAN access from remote] from 119.192.182.24:6172 to 10.0.0.3:80, Thursday, September 06,2012 18:41:51
[LAN access from remote] from 119.192.182.24:6162 to 10.0.0.3:443, Thursday, September 06,2012 18:41:50
[LAN access from remote] from 119.192.182.24:6138 to 10.0.0.3:80, Thursday, September 06,2012 18:41:49
[LAN access from remote] from 119.192.182.24:3908 to 10.0.0.3:443, Thursday, September 06,2012 18:27:10
[LAN access from remote] from 119.192.182.24:3904 to 10.0.0.3:80, Thursday, September 06,2012 18:27:09
[LAN access from remote] from 119.192.182.24:3882 to 10.0.0.3:443, Thursday, September 06,2012 18:27:08
[LAN access from remote] from 119.192.182.24:3873 to 10.0.0.3:80, Thursday, September 06,2012 18:27:08
 
That's life on the internet. Always someobody ***cough*** China ***cough*** Russia, etc knocking on your door. Forward other popular ports like those for mail, ssh, ftp and watch those get hammered on too.
 
should i be worried or do something to whs to prevent break ins? i only have 2 accounts on the server and both have complex passwords.
 
If you're worried, check the logs on WHS, see if there are any login attempts. But like Ehren said, that is typically just how it is when connected to the internet. I'm assuming your ISP is assigning you a dynamic IP address?
 
Do you need to have your whs box exposed to the Internet? You could always just close those ports.
 
they say it is dynamic but it hasnt changed in 2+ years. ill check the logs.

well it looks like by default it doesnt log login failures and success. i turned that on, so ill sit back and see.

either i misses all the failed login attempts or when i change the GP the they showed up, but there are tons of them. note to everyone out there, do not use user, user1, user2, user3, user4, admin as a username. about 95% of the failed attempts were those usernames. also, i disabled the built in administrator account (there was a few attempts at that one) and created a new admin account. and i didnt name it admin.
 
Last edited:
tricky0502 said:
with it exposed to the internet i can access all of my data and rdp to all of the pcs on my network.
Click to expand...

As long as you're exposed you're gonna run that risk, no way to avoid that w/o IP blacklisting on the router's side. Restricting access to just US-based (or whatever your home country is) should help mitigate most of the attacks.

Just make sure your password is really strong and that you're up to date on all of your patches and you should be fine.
 
That mainly depends on your router moreso than anything. What kind of router are you working with?
 
Looking at the log, those are mainly web requests, both HTTP and HTTPS. There are one each of FTP, and RDP as well. If you don't need FTP or RDP open I would close those ports.

If they are hitting the web page and it doesn't require a login you won't see any login attempts. If it does require a login the logs won't be in the event logs but will be in the IIS logs instead. Usually this is c:\windows\system32\Logfiles\smtpxxxx\.

I really don't see much to get excited about unless you can pair those entries with login attempts then sure get excited about it.
 
we shold do a thread, POST your attack log. The one thing i love about Sonicwall or maybe others is COUNTRY BLOCKING !! I blocked all countries except us & Canada & put in a few rules for uk...
 
ianshot said:
Looking at the log, those are mainly web requests, both HTTP and HTTPS. There are one each of FTP, and RDP as well. If you don't need FTP or RDP open I would close those ports.

If they are hitting the web page and it doesn't require a login you won't see any login attempts. If it does require a login the logs won't be in the event logs but will be in the IIS logs instead. Usually this is c:\windows\system32\Logfiles\smtpxxxx\.

I really don't see much to get excited about unless you can pair those entries with login attempts then sure get excited about it.
Click to expand...

the web page has a login and there have been 100's of failed login attempts. the ftp and rdp port are opened because they are used.

dashpuppy said:
we shold do a thread, POST your attack log. The one thing i love about Sonicwall or maybe others is COUNTRY BLOCKING !! I blocked all countries except us & Canada & put in a few rules for uk...
Click to expand...

I wish I could block countries, but my router doesn't have that feature.

a post in a thread like that would be real long!! I used to work in a community college and they would get about 30 pages of attacks an minute.
 
Since you cant block countries then there really isn't anything more you can do. You can try your hand at setting up a VPN which would decrease your attack surface. You could also change the port that your webserver uses (on the router's side) to something random to make it more difficult for an automated scanner to guess it.
 
If you can think about it in reverse and only allow a few IPs that you typically connect from. You can always add the range for your cell provider and use that in a pinch to rdp in and open to other IPs if you happen to be connecting from a non-typical connection.

Other than that. Patch and monitor. You can always setup a VPN to harden your exposure.
 
Build a firewall, install VPN, done and secure. I'm sure of pfsense and others can setup block ip's that scan or other malisiouse stuff.
 
Although security through obscurity is never a valid solution one thing that I do on my home network is forward a random port to RDP to an external server. I also lock down just who can access RDP services from the WAN via an ACL.

Of course in a production environment everything would also be behind a nice high end firewall

Code: 
280 permit tcp %ALLOWED IP% host %WAN INT IP% eq %RANDOM PORT%

ip nat inside source static tcp %INTERNAL SERVER IP% 3389 %WAN INT IP% %RANDOM PORT% extendable
 
Last edited:
so i decided to block ips on the servers firewall. anyone know where i can find ips by country? i think i am going to block all except the usa ip range (if that is possible).

if i do:
allow 10.0.0.1-10.0.0.255 (local range)
allow x.x.x.x (my local IP)
allow x.x.x.x (my work IP)
deny 1.0.0.1-255.255.255.255 (everyone else)

that will block everyone but the IP i assigned allows to?

well it looks like that didnt work! i blocked my self! do i have to block 1.0.0.1 - to my ip, then allow my ip, then continue the block?

i need to hook up a monitor to the server now to change it.
 
Last edited:
So I got the firewall set to block everything but the ips I need, but it doesn't seem to be working. Do I need to do something differently?

I am running a block ip scope, blocking all ips except the ones I need.
 
You must log in or register to reply here.
Back
Top