Buon dì a tutti, lo scorso mercoledì si è accennato il discorso relativo a UPnP, ai robot scanner, alle porte aperte sui router domestici: vorrei condividere quello che scopro ogni volta che faccio un controllo del LOG GENERALE sul mio router.
Una serie di fenomeni arrivano a bussare la porta WAN: - PORT SCAN: ogni tanto capita qualche messaggio di warning relativo alla scansione multipla della porta WAN - DOS: sempre più frequenti gli attacchi su innumerevoli porte, fino a 5-6 contemporaneamente al secondo, da cui sospetto che la lentezza del router (200MHz) possa essere un limite (facendo decadere levento) - VPN PPTP: negli anni quasi sempre dagli stessi pool di indirizzi, come se ci fosse qualche sistema automatico mal configurato che ogni tanto cerca di ricollegarsi al mio indirizzo Non credo che lelenco sia esaustivo, perché molti fenomeni potrebbero risultare nascosti, soprattutto gli attacchi adottati verso le porte ed i servizi UPnP che si aprono luscita in autonomia senza lasciare traccia sul LOG. Tra questi ci potrebbero essere tutti i servizi di POP3 e SMTP, i vari client di chat, gli updater, le sessioni di VPN. Per poter vedere alcuni di questi fenomeni, si potrebbe mettere in DMZ un qualunque dispositivo sacrificale e attivare il LOG completo su quellindirizzo interno: a parte il sovraccarico sul router, si scoprirebbero veramente parecchi fenomeni impensabili. Credo quindi che stia diventando sempre più significativo disporre di sistemi aggiornati e non bucati, oppure in alternativa si potrebbe rimanere in reti MAN, come Vodafone, Fastweb e simili, dove tutto sommato larchitettura prevede spesso un filtro interno (ma non sempre, forse ormai in continua diminuzione). Cosa ne pensate? Sat, 2000-01-01 01:00:22 - Administrator login successful - IP:192.168.X.Y Sat, 2000-01-01 01:01:02 - Initialize LCP. Sat, 2000-01-01 01:01:03 - LCP is allowed to come up. Sat, 2000-01-01 01:01:03 - PAP authentication success Sat, 2000-01-01 01:01:09 - Send out NTP request to 194.116.87.4 Sat, 2000-01-01 01:01:26 - TCP Packet - Source:173.230.128.213,44767 Destination:79.21.162.146,3128 - [DOS] Sat, 2000-01-01 01:01:26 - TCP Packet - Source:173.230.128.213,42073 Destination:79.21.162.146,10000 - [DOS] Sat, 2000-01-01 01:01:26 - TCP Packet - Source:173.230.128.213,36947 Destination:79.21.162.146,3128 - [DOS] Sat, 2000-01-01 01:01:26 - TCP Packet - Source:173.230.128.213,41649 Destination:79.21.162.146,80 - [DOS] Sat, 2000-01-01 01:01:26 - TCP Packet - Source:173.230.128.213,49475 Destination:79.21.162.146,33002 - [DOS] Sat, 2000-01-01 01:01:27 - TCP Packet - Source:173.230.128.213,45265 Destination:79.21.162.146,45554 - [DOS] Sat, 2000-01-01 01:01:27 - TCP Packet - Source:173.230.128.213,53449 Destination:79.21.162.146,8000 - [DOS] Sat, 2000-01-01 01:01:27 - TCP Packet - Source:173.230.128.213,55459 Destination:79.21.162.146,8123 - [DOS] Sat, 2000-01-01 01:01:27 - TCP Packet - Source:173.230.128.213,58525 Destination:79.21.162.146,6588 - [DOS] Sat, 2000-01-01 01:01:27 - TCP Packet - Source:173.230.128.213,44767 Destination:79.21.162.146,3128 - [DOS] Sat, 2000-01-01 01:01:30 - TCP Packet - Source:173.230.128.213,39301 Destination:79.21.162.146,34002 - [DOS] Sat, 2000-01-01 01:01:30 - TCP Packet - Source:173.230.128.213,46329 Destination:79.21.162.146,9001 - [DOS] Sat, 2000-01-01 01:01:30 - TCP Packet - Source:173.230.128.213,58525 Destination:79.21.162.146,6588 - [DOS] Sat, 2000-01-01 01:01:30 - TCP Packet - Source:173.230.128.213,55459 Destination:79.21.162.146,8123 - [DOS] Sat, 2000-01-01 01:01:30 - TCP Packet - Source:173.230.128.213,51409 Destination:79.21.162.146,8080 - [DOS] Sat, 2000-01-01 01:01:34 - TCP Packet - Source:173.230.128.213,39301 Destination:79.21.162.146,34002 - [DOS] Sat, 2000-01-01 01:01:34 - TCP Packet - Source:173.230.128.213,36607 Destination:79.21.162.146,8290 - [DOS] Sat, 2000-01-01 01:01:34 - TCP Packet - Source:173.230.128.213,46329 Destination:79.21.162.146,9001 - [DOS] Sat, 2000-01-01 01:01:34 - TCP Packet - Source:173.230.128.213,56399 Destination:79.21.162.146,45554 - [DOS] Sat, 2000-01-01 01:01:34 - TCP Packet - Source:173.230.128.213,36947 Destination:79.21.162.146,3128 - [DOS] Sat, 2000-01-01 01:01:42 - TCP Packet - Source:173.230.128.213,46329 Destination:79.21.162.146,9001 - [DOS] Sat, 2000-01-01 01:01:42 - TCP Packet - Source:173.230.128.213,39301 Destination:79.21.162.146,34002 - [DOS] Sat, 2000-01-01 01:01:42 - TCP Packet - Source:173.230.128.213,50235 Destination:79.21.162.146,64101 - [DOS] Sat, 2000-01-01 01:01:42 - TCP Packet - Source:173.230.128.213,53449 Destination:79.21.162.146,8000 - [DOS] Sat, 2000-01-01 01:01:42 - TCP Packet - Source:173.230.128.213,58525 Destination:79.21.162.146,6588 - [DOS] Sat, 2000-01-01 01:01:59 - TCP Packet - Source:173.230.128.213,39301 Destination:79.21.162.146,34002 - [DOS] Sat, 2000-01-01 01:01:59 - TCP Packet - Source:173.230.128.213,36607 Destination:79.21.162.146,8290 - [DOS] Sat, 2000-01-01 01:01:59 - TCP Packet - Source:173.230.128.213,56399 Destination:79.21.162.146,45554 - [DOS] Sat, 2000-01-01 01:01:59 - TCP Packet - Source:173.230.128.213,46329 Destination:79.21.162.146,9001 - [DOS] Sat, 2000-01-01 01:01:59 - TCP Packet - Source:173.230.128.213,36947 Destination:79.21.162.146,3128 - [DOS] Sat, 2000-01-01 01:02:15 - <DDNS>Update OK: good Sat, 2000-01-01 01:02:31 - Send out NTP request to time-g.netgear.com Tue, 2017-01-17 21:38:01 - Receive NTP Reply from time-g.netgear.com Tue, 2017-01-17 21:43:12 - TCP Packet - Source:173.230.128.213,54857 Destination:79.21.162.146,34002 - [DOS] Tue, 2017-01-17 21:43:12 - TCP Packet - Source:173.230.128.213,60495 Destination:79.21.162.146,60088 - [DOS] Tue, 2017-01-17 21:43:12 - TCP Packet - Source:173.230.128.213,33329 Destination:79.21.162.146,8000 - [DOS] Tue, 2017-01-17 21:43:12 - TCP Packet - Source:173.230.128.213,41099 Destination:79.21.162.146,80 - [DOS] Tue, 2017-01-17 21:43:12 - TCP Packet - Source:173.230.128.213,52569 Destination:79.21.162.146,8291 - [DOS] Tue, 2017-01-17 21:43:13 - TCP Packet - Source:173.230.128.213,41771 Destination:192.168.86.254,80 - [DOS] Tue, 2017-01-17 21:43:13 - TCP Packet - Source:173.230.128.213,49067 Destination:79.21.162.146,8123 - [DOS] Tue, 2017-01-17 21:43:13 - TCP Packet - Source:173.230.128.213,47575 Destination:79.21.162.146,8118 - [DOS] Tue, 2017-01-17 21:43:14 - TCP Packet - Source:173.230.128.213,45073 Destination:79.21.162.146,8118 - [DOS] Tue, 2017-01-17 21:43:14 - TCP Packet - Source:173.230.128.213,49461 Destination:79.21.162.146,6588 - [DOS] Tue, 2017-01-17 21:43:16 - TCP Packet - Source:173.230.128.213,58419 Destination:79.21.162.146,9001 - [DOS] Tue, 2017-01-17 21:43:16 - TCP Packet - Source:173.230.128.213,50697 Destination:79.21.162.146,8080 - [DOS] Tue, 2017-01-17 21:43:16 - TCP Packet - Source:173.230.128.213,52569 Destination:79.21.162.146,8291 - [DOS] Tue, 2017-01-17 21:43:16 - TCP Packet - Source:173.230.128.213,43347 Destination:79.21.162.146,8080 - [DOS] Tue, 2017-01-17 21:43:16 - TCP Packet - Source:173.230.128.213,60495 Destination:79.21.162.146,60088 - [DOS] Tue, 2017-01-17 21:43:20 - TCP Packet - Source:173.230.128.213,52569 Destination:79.21.162.146,8291 - [DOS] Tue, 2017-01-17 21:43:20 - TCP Packet - Source:173.230.128.213,49461 Destination:79.21.162.146,6588 - [DOS] Tue, 2017-01-17 21:43:20 - TCP Packet - Source:173.230.128.213,58815 Destination:79.21.162.146,9001 - [DOS] Tue, 2017-01-17 21:43:20 - TCP Packet - Source:173.230.128.213,43347 Destination:79.21.162.146,8080 - [DOS] Tue, 2017-01-17 21:43:20 - TCP Packet - Source:173.230.128.213,38299 Destination:79.21.162.146,5521 - [DOS] Tue, 2017-01-17 21:43:28 - TCP Packet - Source:173.230.128.213,58419 Destination:79.21.162.146,9001 - [DOS] Tue, 2017-01-17 21:43:28 - TCP Packet - Source:173.230.128.213,50697 Destination:79.21.162.146,8080 - [DOS] Tue, 2017-01-17 21:43:28 - TCP Packet - Source:173.230.128.213,52569 Destination:79.21.162.146,8291 - [DOS] Tue, 2017-01-17 21:43:28 - TCP Packet - Source:173.230.128.213,43347 Destination:79.21.162.146,8080 - [DOS] Tue, 2017-01-17 21:43:28 - TCP Packet - Source:173.230.128.213,60495 Destination:79.21.162.146,60088 - [DOS] Tue, 2017-01-17 21:43:44 - TCP Packet - Source:173.230.128.213,38299 Destination:79.21.162.146,5521 - [DOS] Tue, 2017-01-17 21:43:44 - TCP Packet - Source:173.230.128.213,49461 Destination:79.21.162.146,6588 - [DOS] Tue, 2017-01-17 21:43:44 - TCP Packet - Source:173.230.128.213,58815 Destination:79.21.162.146,9001 - [DOS] Tue, 2017-01-17 21:43:44 - TCP Packet - Source:173.230.128.213,43347 Destination:79.21.162.146,8080 - [DOS] Tue, 2017-01-17 21:43:44 - TCP Packet - Source:173.230.128.213,52569 Destination:79.21.162.146,8291 - [DOS] Tue, 2017-01-17 22:35:29 - Router start up Wed, 2017-01-18 06:32:28 - TCP Packet - Source:176.58.124.35,56346 Destination:79.21.162.146,1723 - [VPN-PPTP rule match] Wed, 2017-01-18 12:00:00 - <DDNS>Update OK: good Wed, 2017-01-18 14:37:48 - TCP Packet - Source:67.205.141.62,51708 Destination:79.21.162.146,1723 - [VPN-PPTP rule match] Thu, 2017-01-19 08:22:49 - Administrator login successful - IP:192.168.X.Y Thu, 2017-01-19 15:06:47 - LCP down. Thu, 2017-01-19 15:06:55 - Initialize LCP. Thu, 2017-01-19 15:06:55 - LCP is allowed to come up. Thu, 2017-01-19 15:06:56 - PAP authentication success Thu, 2017-01-19 15:07:15 - <DDNS>Update OK: good Fri, 2017-01-20 19:38:02 - Send out NTP request to 194.116.87.4 Fri, 2017-01-20 19:39:04 - Send out NTP request to time-g.netgear.com Fri, 2017-01-20 19:40:38 - Send out NTP request to 194.116.87.4 Fri, 2017-01-20 19:43:16 - Send out NTP request to time-g.netgear.com Fri, 2017-01-20 19:48:02 - Send out NTP request to 194.116.87.4 Fri, 2017-01-20 19:57:04 - Send out NTP request to time-g.netgear.com Fri, 2017-01-20 20:14:38 - Send out NTP request to 194.116.87.4 Fri, 2017-01-20 20:49:16 - Send out NTP request to time-g.netgear.com Fri, 2017-01-20 21:58:02 - Send out NTP request to 194.116.87.4 Sat, 2017-01-21 00:15:04 - Send out NTP request to time-g.netgear.com Sat, 2017-01-21 04:00:54 - UDP Packet - Source:188.138.41.32,6185 Destination:80.104.95.151,5066 - [DOS] Sat, 2017-01-21 04:00:54 - UDP Packet - Source:188.138.41.32,6185 Destination:80.104.95.151,5080 - [DOS] Sat, 2017-01-21 04:00:54 - UDP Packet - Source:188.138.41.32,6185 Destination:80.104.95.151,1025 - [DOS] Sat, 2017-01-21 04:00:54 - UDP Packet - Source:188.138.41.32,6185 Destination:80.104.95.151,5070 - [DOS] Sat, 2017-01-21 04:48:38 - Send out NTP request to 194.116.87.4 Sat, 2017-01-21 13:55:17 - Send out NTP request to time-g.netgear.com Sun, 2017-01-22 01:05:19 - UDP Packet - Source:134.119.216.239,5729 Destination:80.104.95.151,5080 - [DOS] Sun, 2017-01-22 01:05:19 - UDP Packet - Source:134.119.216.239,5729 Destination:80.104.95.151,5081 - [DOS] Sun, 2017-01-22 01:05:19 - UDP Packet - Source:134.119.216.239,5729 Destination:80.104.95.151,5082 - [DOS] Sun, 2017-01-22 01:05:19 - UDP Packet - Source:134.119.216.239,5729 Destination:80.104.95.151,5083 - [DOS] Sun, 2017-01-22 01:05:19 - UDP Packet - Source:134.119.216.239,5729 Destination:80.104.95.151,5084 - [DOS] Sun, 2017-01-22 01:05:19 - UDP Packet - Source:134.119.216.239 Destination:80.104.95.151 - [PORT SCAN] Sun, 2017-01-22 02:03:40 - UDP Packet - Source:173.212.216.99,5358 Destination:80.104.95.151,1043 - [DOS] Sun, 2017-01-22 08:08:03 - Send out NTP request to 194.116.87.4 Sun, 2017-01-22 16:53:55 - UDP Packet - Source:80.241.213.107,5284 Destination:80.104.95.151,1044 - [DOS] Sun, 2017-01-22 16:53:55 - UDP Packet - Source:80.241.213.107,5284 Destination:80.104.95.151,1053 - [DOS] Sun, 2017-01-22 16:53:55 - UDP Packet - Source:80.241.213.107,5284 Destination:80.104.95.151,1054 - [DOS] Sun, 2017-01-22 16:53:55 - UDP Packet - Source:80.241.213.107,5284 Destination:80.104.95.151,1056 - [DOS] Mon, 2017-01-23 20:33:05 - Send out NTP request to 194.116.87.4 Mon, 2017-01-23 20:34:25 - Send out NTP request to time-g.netgear.com Mon, 2017-01-23 20:36:35 - Send out NTP request to 194.116.87.4 Mon, 2017-01-23 20:40:25 - Send out NTP request to time-g.netgear.com Mon, 2017-01-23 20:47:35 - Send out NTP request to 194.116.87.4 Mon, 2017-01-23 21:01:25 - Send out NTP request to time-g.netgear.com Mon, 2017-01-23 21:28:35 - Send out NTP request to 194.116.87.4 Mon, 2017-01-23 21:32:22 - UDP Packet - Source:80.241.213.107,5179 Destination:80.104.95.151,5060 - [DOS] Mon, 2017-01-23 21:32:22 - UDP Packet - Source:80.241.213.107,5179 Destination:80.104.95.151,5550 - [DOS] Mon, 2017-01-23 22:22:25 - Send out NTP request to time-g.netgear.com Mon, 2017-01-23 23:02:56 - UDP Packet - Source:80.241.213.107,5868 Destination:80.104.95.151,5056 - [DOS] Mon, 2017-01-23 23:02:56 - UDP Packet - Source:80.241.213.107,5868 Destination:80.104.95.151,5060 - [DOS] Tue, 2017-01-24 00:09:35 - Send out NTP request to 194.116.87.4 Tue, 2017-01-24 02:25:32 - UDP Packet - Source:173.242.127.147,5066 Destination:80.104.95.151,6061 - [DOS] Tue, 2017-01-24 02:25:32 - UDP Packet - Source:173.242.127.147,5066 Destination:80.104.95.151,6050 - [DOS] Tue, 2017-01-24 02:25:32 - UDP Packet - Source:173.242.127.147,5066 Destination:80.104.95.151,6062 - [DOS] Tue, 2017-01-24 03:43:25 - Send out NTP request to time-g.netgear.com Tue, 2017-01-24 07:59:39 - UDP Packet - Source:89.163.224.248,5502 Destination:80.104.95.151,5082 - [DOS] Tue, 2017-01-24 07:59:39 - UDP Packet - Source:89.163.224.248,5502 Destination:80.104.95.151,5081 - [DOS] Tue, 2017-01-24 07:59:39 - UDP Packet - Source:89.163.224.248,5502 Destination:80.104.95.151,5080 - [DOS] Tue, 2017-01-24 07:59:39 - UDP Packet - Source:89.163.224.248,5502 Destination:80.104.95.151,5090 - [DOS] Tue, 2017-01-24 10:50:35 - Send out NTP request to 194.116.87.4 Tue, 2017-01-24 13:00:34 - TCP Packet - Source:68.64.168.186,59049 Destination:80.104.95.151,1723 - [VPN-PPTP rule match] Tue, 2017-01-24 17:38:02 - TCP Packet - Source:68.64.168.186,55573 Destination:80.104.95.151,1723 - [VPN-PPTP rule match] Tue, 2017-01-24 22:04:33 - Administrator remote login successful - IP:5.170.108.253 Tue, 2017-01-24 22:12:23 - Administrator remote login successful - IP:5.170.108.253 Wed, 2017-01-25 01:04:25 - Send out NTP request to time-g.netgear.com Wed, 2017-01-25 17:27:52 - UDP Packet - Source:134.119.219.27,5323 Destination:80.104.95.151,8070 - [DOS] Wed, 2017-01-25 17:27:52 - UDP Packet - Source:134.119.219.27,5323 Destination:80.104.95.151,6070 - [DOS] Wed, 2017-01-25 17:27:52 - UDP Packet - Source:134.119.219.27,5323 Destination:80.104.95.151,5050 - [DOS] Thu, 2017-01-26 05:31:35 - Send out NTP request to 194.116.87.4 Thu, 2017-01-26 06:41:31 - UDP Packet - Source:80.241.213.107,5323 Destination:80.104.95.151,5063 - [DOS] Thu, 2017-01-26 06:41:31 - UDP Packet - Source:80.241.213.107,5323 Destination:80.104.95.151,5064 - [DOS] Thu, 2017-01-26 06:41:31 - UDP Packet - Source:80.241.213.107,5323 Destination:80.104.95.151,1034 - [DOS] Thu, 2017-01-26 06:41:31 - UDP Packet - Source:80.241.213.107,5323 Destination:80.104.95.151,5061 - [DOS] Thu, 2017-01-26 06:41:31 - UDP Packet - Source:80.241.213.107,5323 Destination:80.104.95.151,1054 - [DOS] Thu, 2017-01-26 10:37:26 - TCP Packet - Source:62.210.127.77 Destination:80.104.95.151 - [PORT SCAN] Thu, 2017-01-26 10:37:27 - TCP Packet - Source:62.210.127.77,41021 Destination:80.104.95.151,21 - [DOS] Thu, 2017-01-26 11:04:15 - UDP Packet - Source:134.119.219.27,5222 Destination:80.104.95.151,50605 - [DOS] Thu, 2017-01-26 21:32:53 - TCP Packet - Source:122.224.153.109,63022 Destination:80.104.95.151,1723 - [VPN-PPTP rule match] Fri, 2017-01-27 00:29:19 - TCP Packet - Source:5.30.34.61,20557 Destination:80.104.95.151,23 - [DOS] Fri, 2017-01-27 22:29:23 - TCP Packet - Source:71.6.146.186,49760 Destination:80.104.95.151,1723 - [VPN-PPTP rule match] Sat, 2017-01-28 13:47:35 - Administrator login successful - IP:192.168.X.Y -- Wyz - Wlady
_______________________________________________ BrigX Linux Users Group [email protected] http://brigx.it/mailman/listinfo/ml_brigx.it
