www.hardwarezone.com.sg


www.hardwarezone.com.sg (/)
-   Internet Bandwidth & Networking Clinic (https://forums.hardwarezone.com.sg/internet-bandwidth-networking-clinic-4/)
-   -   Random IP trying to access internal network? (https://forums.hardwarezone.com.sg/internet-bandwidth-networking-clinic-4/random-ip-trying-access-internal-network-6343756.html)

chaddeus 25-07-2020 07:10 PM

Random IP trying to access internal network?
 
Should I be concern that there are random IP address trying to access my internet network? Port 500 is used for my VPN Server on my Synology. Port 16854 is used for my torrent app (torrent app is not on).

I try to make effort trying to block IP address that I see too often but its just too much. Plus even when I change my external IP address, same thing is still coming in

2020-07-25, 15:31:10 ALLOW UDP 185.142.239.16:500 -> 192.168.0.2:500 on eth1
2020-07-25, 16:14:23 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 16:14:25 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:45 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:47 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:49 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:51 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:59:59 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1
2020-07-25, 18:00:01 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1

gilcrest 25-07-2020 09:47 PM

At least its not a Russian IP; does it slow down your internet or gives a scenario of unable to connect to the router admin page?

chaiscool 25-07-2020 10:12 PM

Maybe your IoT part of botnet network haha. What do you use to see and block the traffic ? Sometime the application itself can be causing it.

BradenHeat 25-07-2020 11:01 PM

Quote:

Originally Posted by chaddeus (Post 128696106)
Should I be concern that there are random IP address trying to access my internet network? Port 500 is used for my VPN Server on my Synology. Port 16854 is used for my torrent app (torrent app is not on).

I try to make effort trying to block IP address that I see too often but its just too much. Plus even when I change my external IP address, same thing is still coming in

2020-07-25, 15:31:10 ALLOW UDP 185.142.239.16:500 -> 192.168.0.2:500 on eth1
2020-07-25, 16:14:23 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 16:14:25 ALLOW TCP 186.108.82.18:62807 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:45 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:54:47 ALLOW TCP 45.236.31.62:49612 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:49 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:56:51 ALLOW TCP 45.236.31.62:51285 -> 192.168.0.2:16854 on eth1
2020-07-25, 17:59:59 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1
2020-07-25, 18:00:01 ALLOW TCP 45.236.31.62:53354 -> 192.168.0.2:16854 on eth1


my UDM threw similar ones, but ive noticed that when I switched my DNS to others. Might it be that ?

chaddeus 26-07-2020 12:19 AM

Quote:

Originally Posted by gilcrest (Post 128699001)
At least its not a Russian IP; does it slow down your internet or gives a scenario of unable to connect to the router admin page?

No sign of speed decrease or at least not in a significant way :) . Router admin page seems fine.

chaddeus 26-07-2020 12:23 AM

Quote:

Originally Posted by chaiscool (Post 128699455)
Maybe your IoT part of botnet network haha. What do you use to see and block the traffic ? Sometime the application itself can be causing it.

I just use my router to block certain IP address. At this moment, I don't really care so much especially when its scanning for my torrent port (16854 and 6881) but I care more on my VPN port (4500, 1701 and 500). I try to block them if I see them trying to access more than 3 times.

- Charles

chaddeus 26-07-2020 12:26 AM

Quote:

Originally Posted by BradenHeat (Post 128700461)
my UDM threw similar ones, but ive noticed that when I switched my DNS to others. Might it be that ?

I run my own DNS. But question is, should i be concern? I think its relatively common for people to try to scan my port but as long they don't get into my network without authorization, that should be fine right?

chaiscool 26-07-2020 06:14 PM

You still be vulnerable to those brute force / amplification “pass after multiple deny” types of attacks. If really concern can try dedicated firewall to block blacklisted and foreign (Russia etc) IP.

Downside of hosting your own dns is losing resiliency / redundancy / protection etc. Handling being attack by having your own dns server is common concern

zoneguard 26-07-2020 06:24 PM

Bad stuff:
https://bgp.he.net/ip/45.236.31.62#_rbl
https://bgp.he.net/ip/186.108.82.18#_rbl

Try changing VPN port and tor port.

TanKianW 26-07-2020 07:05 PM

Are you using UPNP? If you do, disable it. You might be allowing devices inside your network to open ports on their free will due to UPNP.

If you are concern, which I think you should if you have a NAS that can be access remotely or several IOTs. Run a firewall like pfsense, OPNsense, etc. Every IP in and out will be logged. It will even link you to the online resources and security database to define the location and reputation level of the DNS/IP accessing to/from your network. And you get to decide whether to block/suppress it or kill states.

I recommend just simply running pfblockerNG on pfsense. Block all the unnecessary/notorious stuff through GeoIPs and IP/DNS filter as first line of defense. Save you the initial trouble of filtering it one by one on your own.

An example of how much has been blocked by the firewall in just 2 days after the last reload.
https://i.imgur.com/5RpOHDd.png

xiaofan 26-07-2020 07:54 PM

To disable UPNP seems also quite problematic for consumers.

Peer-to-peer applications, game servers, and many VoIP programs, seem to rely on upnp.

How do you sort this out if you need to use various VOIP programs, say for work, now that it is common to work from home?

TanKianW 26-07-2020 08:53 PM

Quote:

Originally Posted by xiaofan (Post 128719197)
To disable UPNP seems also quite problematic for consumers.

Peer-to-peer applications, game servers, and many VoIP programs, seem to rely on upnp.

How do you sort this out if you need to use various VOIP programs, say for work, now that it is common to work from home?

Yes, i agree. UPNP is convenient for consumers out there. But there is no easy way out if you want security.

For my case, I will still manually port forward the common ports at the firewall for programs. Load pfblockerNG's IP/DNS filter, do up a whitelist, download the blocklist from the different category you wish to block. Then pre-load the IDS/IPS security list on SNORT (by Cisco) based on the selected security level. Lastly, run the common programs and go through the firewall again. Unblock any causing it not to work or detected as false positive.

In recent years, the block list in pfblockerNG and SNORT getting more and more refined, due to the widespread of community support, the % of false positive is also pretty low.

Snort list:
https://i.imgur.com/hwjCvBR.png

pfblockerNG feed lists:
https://i.imgur.com/QcPY2Z7.png

chaddeus 29-07-2020 05:29 PM

Quote:

Originally Posted by TanKianW (Post 128718120)
Are you using UPNP? If you do, disable it. You might be allowing devices inside your network to open ports on their free will due to UPNP.

If you are concern, which I think you should if you have a NAS that can be access remotely or several IOTs. Run a firewall like pfsense, OPNsense, etc. Every IP in and out will be logged. It will even link you to the online resources and security database to define the location and reputation level of the DNS/IP accessing to/from your network. And you get to decide whether to block/suppress it or kill states.

I recommend just simply running pfblockerNG on pfsense. Block all the unnecessary/notorious stuff through GeoIPs and IP/DNS filter as first line of defense. Save you the initial trouble of filtering it one by one on your own.

An example of how much has been blocked by the firewall in just 2 days after the last reload.
https://i.imgur.com/5RpOHDd.png

I have UPNP disabled so that limit the accessible port from external.

chaddeus 29-07-2020 05:38 PM

Just give you guys an example.

2020-07-28, 14:40:24 ALLOW UDP 146.88.240.4:58856 -> 192.168.0.2:500 on eth1
2020-07-28, 14:40:24 BLOCK UDP 146.88.240.4:58856 -> 192.168.10.15:500 on eth1

This IP address 146.88.240.4 is scanning my port on a daily basis and non stop although I block the access. Even when I change my external IP address, it will still come and hunt me. So I am not sure if there is anything within my network that is causing this. My outgoing table log shows nothing on this particular IP address.

A quick WHOIS search on this IP address reveal the following information:

NetHandle: NET-146-88-240-0-1
OrgID: ARBORN
Parent: NET-146-0-0-0-0
NetName: ARBORN
NetRange: 146.88.240.0 - 146.88.255.255
NetType: assignment
Comment: NETSCOUT | Arbor Networks Research Scanner
Comment: https://www.arbor-observatory.com/
RegDate: 2016-10-27
Updated: 2019-06-24
AbuseHandle: ASERT-ARIN
Source: ARIN

Going to the https://www.arbor-observatory.com/ and the main page says

Quote:

Why am I receiving connection attempts from this machine?
The Threat Intelligence division at NETSCOUT|Arbor (prev. Arbor Networks) has an Internet safety initiative which identifies services that can potentially be abused by attackers. Internet scanning is often viewed as a malicious activity but can also be used by crawlers and other large-scale scanners to drive traffic, obtain useful statistics, and in our case gather knowledge that will go towards making the Internet a safer place.

Arbor has worked for almost 20 years to help secure the Internet. Scanning is one of the methods we utilize to gain a better understanding of the internet. The collected data is used for research that allows us to identify infected hosts, potentially abusable hosts, and other malicious actors. We ask that you would allow us to continue scanning your address space as our ability to gain insights is directly proportional to our visibility.
Some of our research can be found here:
https://asert.arbornetworks.com/
https://www.netscout.com/global-threat-intelligence
Not sure if its legit... So what do you guys think?

Apparatus 29-07-2020 05:52 PM

RE
 
Quote:

Originally Posted by chaddeus (Post 128781460)
Just give you guys an example.

2020-07-28, 14:40:24 ALLOW UDP 146.88.240.4:58856 -> 192.168.0.2:500 on eth1
2020-07-28, 14:40:24 BLOCK UDP 146.88.240.4:58856 -> 192.168.10.15:500 on eth1

This IP address 146.88.240.4 is scanning my port on a daily basis and non stop although I block the access. Even when I change my external IP address, it will still come and hunt me. So I am not sure if there is anything within my network that is causing this. My outgoing table log shows nothing on this particular IP address.

A quick WHOIS search on this IP address reveal the following information:

NetHandle: NET-146-88-240-0-1
OrgID: ARBORN
Parent: NET-146-0-0-0-0
NetName: ARBORN
NetRange: 146.88.240.0 - 146.88.255.255
NetType: assignment
Comment: NETSCOUT | Arbor Networks Research Scanner
Comment: https://www.arbor-observatory.com/
RegDate: 2016-10-27
Updated: 2019-06-24
AbuseHandle: ASERT-ARIN
Source: ARIN

Going to the https://www.arbor-observatory.com/ and the main page says



Not sure if its legit... So what do you guys think?

Ha.....ha.....ha......maybe the CIA, Russian, CCP or even our MIW IBs after you leh

:D


All times are GMT +8. The time now is 02:50 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Copyright © SPH Magazines Pte Ltd. All rights reserved.