5 Apr
2016
5 Apr
'16
11:19 a.m.
Probes of IP addresses are VERY common. The purpose is to find active
hosts with open ports that can be exploited. If your router logged and
rejected the probe then you are all set, there is nothing you need to
do. As you said, it's a break-in attempt and only an attempt so there
is no need to worry. It's the ones that are not logged that are the
ones to worry about. You should check your access logs on your hosts
to be sure only those hosts you authorized are accessing the servers
and that the accesses are for legitimate purposes.
Good firewall management comes with the territory. Open only the ports
you need and only from the hosts you support. Secondary firewalls of
the hosts on the LAN side is also a good idea, (e.g., Linux iptables,
Windows Advanced Firewall), these should be configured and active to
block unnecessary ports and to log both successful and unsuccessful
attempts and you should check those logs at least once a week.
This is only a sketch of the general policy of firewall management but
I thought it needed to be said here. Log inspection will guide you and
your experience will teach you the posture you must take regarding
threats but know that the threat is always there and is part of the
noise level a public-facing router/firewall must deal with every
minute of every day.
--
Geoff Joy - ke6qh -
AmprNet IP Address Coordinator for San Bernardino & Riverside Counties.
(44.18/16)