Router Sec Log Help

Hey guys,

Is there anything i can do about this. It seems as if someone is definatly trying to get into my network at home. Please look at this log from just a few minutes ago. At the top you will see i just turned my router on. the xxxxx's are my modems address. Is there anything i can do to stop this bs. And does it look as if my router is doing its job. thanks. Aaron

Sun, 01/01/1900 00:00:00 - Netgear Activated.
Sun, 01/01/1900 00:00:00 - Successful administrator login -
Source:192.168xxxxx, LAN - Destination:192.168.xxxxx, LAN
Mon, 02/27/2006 17:24:37 - Get NTP Time: Mon, 02/27/2006 17:24:37

Mon, 02/27/2006 17:29:32 - UDP packet dropped - Source:222.174.34.149, 54829, WAN - Destination

xxxxxxxx, 1025, WAN - 'Suspicious UDP Data'

Mon, 02/27/2006 17:30:54 - UDP packet dropped - Source:98.239.86.41, 0, WAN - Destination

xxxxxxxxx, 1026, WAN - 'Suspicious UDP Data'

Mon, 02/27/2006 17:31:00 - TCP connection dropped - Source:206.204.51.133, 8438, WAN - Destination

xxxxxxxx, 21, WAN - 'FTP-ctrl'

Mon, 02/27/2006 17:31:00 - TCP connection dropped - Source:206.204.51.133, 8443, WAN - Destination

xxxxxxxxxx, 22, WAN - 'SSH'

Mon, 02/27/2006 17:31:00 - TCP connection dropped - Source:206.204.51.133, 8448, WAN - Destination

xxxxxxxx, 23, WAN - 'Telnet'

Mon, 02/27/2006 17:31:00 - TCP connection dropped - Source:206.204.51.133, 8453, WAN - Destination

xxxxxxxxxxx, 25,
WAN - 'Possible Port Scan'

Mon, 02/27/2006 17:31:32 - UDP packet dropped - Source:206.204.51.133, 1622, WAN - Destination

xxxxxxxxxxx, 137, WAN - 'Suspicious UDP Data'

Mon, 02/27/2006 17:31:52 - TCP connection dropped -
Source:206.204.51.133, 3761, WAN - Destination

xxxxxxxxxx, 9873, WAN - 'TCP:Syn Flooding'

Mon, 02/27/2006 17:32:16 - TCP connection dropped - Source:206.204.51.133, 4947, WAN - Destination

xxxxxxxxxxx, 9989, WAN - 'TCP:Syn Flooding'

Mon, 02/27/2006 17:32:30 - UDP packet dropped - Source:222.134.45.50, 60316, WAN - Destination

xxxxxxxxxxx, 1027, WAN - 'Suspicious UDP Data'

Mon, 02/27/2006 17:33:32 - UDP packet dropped - Source:221.208.208.4, 47462, WAN - Destination

xxxxxxxxxx, 1027, WAN - 'Suspicious UDP Data'

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

mikej412

Non-Profit Techie wrote:

Is there anything i can do about this.

Um, disconnect from the Internet.

Or hunt down every script kiddie in the world and beat them into a bloody pulp.

Or, the most likey answer -- no, unless it constantly and consistantly is one individual IP address, then maybe, just maybe, you could get your ISP to do something

Otherwise, make sure your firewall is working -- which it looks like it is, and keep an eye on the firmware updates incase there is a fix for a security probem.

determinedgerman

Just make sure that your firewall has those ports blocked. If you do not need them you should have all ports blocked that you don't use anyway.
If you don't need them.

Port 1025 for example is used for Microsofts Remote Procedure Call. If you don't need any of those services and you are just using the port 80 for http block all other traffic.

Otherwise as long as your firewall works you will be fine. This is a pretty much regular picture. Someone is running a script against a bunch of ip addresses and your is one of them.

Hope this helps...

JDMurray

The vast majority of port scans occurring on the Internet are from automated tools (NMap, netcat, Nessus, Metasploit, etc.) that are simply scanning a range of IP addresses for whatever open systems they can find. The reason you are using a firewall in the first place is to keep these types of scans from penetrating into your private network.

It's possible that someone is specifically targeting your IP to find a way into your network, but it's highly unlikely. You can't stop people from scanning hosts on the Internet, so don't take it personally.

Non-Profit Techie

thanks guys. Just seems to be alot of activity in the past few hours. Anyway, if this is normal and my firewall is working i guess your right, nothing to worry about. Man do i feel sorry for those people with no firewalls, lol.

rossonieri#1

hello,
i think JD was right - dont take it personally.
but in case you find a huge attack sequence from the same source, you might want to do a traceroute.

cheers.

JDMurray

rossonieri#1 wrote:

but in case you find a huge attack sequence from the same source, you might want to do a traceroute.

All the attacker needs to do to thawrt tracert is to disable their ICMP echo response. I'd start with a reverse DNS lookup of the attacker's IP, but their IP is probably spoofed, or originating from a zombie, so that'd be useless too.

Damn this IPv4 public network!