5 Apr
2016
5 Apr
'16
2:28 a.m.
Hi group
The mikrotik router log show me every half minute a telnet and SSH login attempt it last
for hours
the strange thing is that the IP it is using was not active in the AMR DNS up to
yesterday and right after i have add it to the DNS and connected the router the login
attempt tried
I have traced two off the breakers and one is in Poland and other is in China
Is it common that someone try to brake our network hosts ? do you see such things at your
hosts too ?
how someone discover so quick about an active host in a Whole class A network ?
What is your solution \ reaction for such a brake attempts ??
Thanks for every clarifications
Regards
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.org
ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
5 Apr
5 Apr
3:40 a.m.
That's quite normal.
You will also see a lot of strange ICMP and DNS replies, UDP traffic and
others.
The idea is that those IPs where poked even before you added them to the
DNS, you just did not see them.
Get used to it and create proper firewall rules to not accept incoming
connections on the router from the public and ampr-gw interfaces which you
not need (usually you need none).
Marius, YO2LOJ
-----Original Message-----
From: R P
Sent: Tuesday, April 05, 2016 09:28
To: AMPRNet working group
Subject: [44net] strange login attempts to AMPR Hosts
(Please trim inclusions from previous messages)
_______________________________________________
Hi group
The mikrotik router log show me every half minute a telnet and SSH login
attempt it last for hours
the strange thing is that the IP it is using was not active in the AMR DNS
up to yesterday and right after i have add it to the DNS and connected
the router the login attempt tried
I have traced two off the breakers and one is in Poland and other is in
China
Is it common that someone try to brake our network hosts ? do you see such
things at your hosts too ?
how someone discover so quick about an active host in a Whole class A
network ?
What is your solution \ reaction for such a brake attempts ??
Thanks for every clarifications
Regards
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.org
ronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
11:19 a.m.
Probes of IP addresses are VERY common. The purpose is to find active
hosts with open ports that can be exploited. If your router logged and
rejected the probe then you are all set, there is nothing you need to
do. As you said, it's a break-in attempt and only an attempt so there
is no need to worry. It's the ones that are not logged that are the
ones to worry about. You should check your access logs on your hosts
to be sure only those hosts you authorized are accessing the servers
and that the accesses are for legitimate purposes.
Good firewall management comes with the territory. Open only the ports
you need and only from the hosts you support. Secondary firewalls of
the hosts on the LAN side is also a good idea, (e.g., Linux iptables,
Windows Advanced Firewall), these should be configured and active to
block unnecessary ports and to log both successful and unsuccessful
attempts and you should check those logs at least once a week.
This is only a sketch of the general policy of firewall management but
I thought it needed to be said here. Log inspection will guide you and
your experience will teach you the posture you must take regarding
threats but know that the threat is always there and is part of the
noise level a public-facing router/firewall must deal with every
minute of every day.
--
Geoff Joy - ke6qh -
AmprNet IP Address Coordinator for San Bernardino & Riverside Counties.
(44.18/16)
3153
days inactive
3153
days old
2 comments
3 participants
participants (3)
-
Geoff Joy -KE6QH- -
Marius Petrescu -
R P