30 Apr
2017
30 Apr
'17
10:01 a.m.
All,
From the most recent 12-hour NetFlow sampling, these are the ports most
commonly attempted to IPs in my subnet (for which I host no available
inbound services and have a general firewall rule against):
tcp/22 - SSH
tcp/23 - Telnet
tcp/ 2323 - Telnet 'Alternative'
tcp/2222 - SSH 'Alternative'
tcp/631
tcp/3306
tcp/3389 - Microsoft Remote Desktop Protocol
tcp/5358
tcp/5555
tcp/8081
tcp/8888
tcp/9200
udp/161 - Simple Network Management Protocol
udp/523
udp/623
tcp/502
udp/5060 - Session Initiation Protocol - Voice over IP
ICMP Packets not corresponding to any sent packets:
ICMP Time-Exceeded-In-transit
ICMP Destination-Host-Unreachable
ICMP Destination-Port-Unreachable
Other:
ICMP Echo-Request (normal pinging)
These four particular NetFlow data are somewhat alarming, since it
appears a RIP packet may have been attempted to be sent:
2017-04-29 20:56:05.866 0.000 TCP94.102.49.193:31430
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.131:8099
<http://192.168.7.9/nfsen/nfsen.php#null> 1 40 1
2017-04-29 21:22:16.421 0.000 UDP94.102.49.193:12902
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.2:520
<http://192.168.7.9/nfsen/nfsen.php#null> 1 52 1
2017-04-29 21:41:19.325 0.000 TCP94.102.49.193:1702
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.131:9051
<http://192.168.7.9/nfsen/nfsen.php#null> 1 40 1
2017-04-29 22:06:55.283 0.000 TCP94.102.49.193:26459
<http://192.168.7.9/nfsen/nfsen.php#null> ->44.60.44.131:4911
<http://192.168.7.9/nfsen/nfsen.php#null> 1 40 1
This occurs 24x7x365. Those who do not run firewalls to block services
from the Internet should really consider it.
- KB3VWG