23 May
2017
23 May
'17
2:40 a.m.
Hey Ronen,
Unfortunately that is "normal" behaviour these days on the internet. Bots
scanning networks for ssh/telnet/sip to abuse and continue spreading.
It stops after a while from that particular IP when that IP gets blocked, but will then
continue from other IP's. That is how botnets workaround firewalls if one IP gets
blocked, they just retry from other hosts under their control..
It is best practice to firewall anything inbound that you don't need publicly
available from the internet..
Ruben - ON3RVH
> On 23 May 2017, at 07:24, R P <ronenp(a)hotmail.com> wrote:
>
> (Please trim inclusions from previous messages)
> _______________________________________________
> Hi
>
> I was "playing" with my AMPR Router yesterday
>
> I had a open user (on purpose) and saw that from that user few IP (not my ones)
were logged in
>
> after some more research i have discovered that this users was opening connections
to other hosts ....
>
> That made me suspicious on what going on ....
>
> I have checked one of the IP that was connected and back resolve showed
customer.worldstream.nl comming via SSH
>
> I understand something not good happening i have closed this user rebooted the router
(to clear the connection )
>
> and then i started to get alot of connections to port 22 to my router from that host
>
> I had to put Firewall rule (drop) for that address and destination port (22)(although
im against fire-walling)
>
> After less then 24 hours the traffic stopped from that host the trafic (Via UCSD
(Encapped) went down from 19 KBytes/sec to less then 1 Kbyte/sec
>
> now. I know how to deal with the technical aspects (firewall .etc)
>
> What is not understand to me is what is the purpose ... If it is a robot what is the
point of fluddling SSH connections is it brute force ? or anything else ? and how come
that after 24 hours it stopped it supposed to be endless loop if it is an automated
process
>
> Please light my eyes on that if you have more experience then me
>
>
> currently the router is "quiet" without non wanted users logged in and un
necessary connections
>
> I see on the log here and there breake attempt mainly to Ports 23 22 and SIP from
various hosts but it is few in a minute
>
> Regards
>
> Ronen - 4Z4ZQ
>
> http://www.ronen.org
>
> Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
> www.ronen.org
> ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
>
>
>
>
>