Router Sec Log Help

Hey guys,

Is there anything i can do about this. It seems as if someone is definatly trying to get into my network at home. Please look at this log from just a few minutes ago. At the top you will see i just turned my router on. the xxxxx's are my modems address. Is there anything i can do to stop this bs. And does it look as if my router is doing its job. thanks. Aaron

Sun, 01/01/1900 00:00:00 - Netgear Activated.
Sun, 01/01/1900 00:00:00 - Successful administrator login -
Source:192.168xxxxx, LAN - Destination:192.168.xxxxx, LAN
Mon, 02/27/2006 17:24:37 - Get NTP Time: Mon, 02/27/2006 17:24:37

Mon, 02/27/2006 17:29:32 - UDP packet dropped - Source:222.174.34.149, 54829, WAN - Destinationicon_mad.gifxxxxxxxx, 1025, WAN - 'Suspicious UDP Data'

Mon, 02/27/2006 17:30:54 - UDP packet dropped - Source:98.239.86.41, 0, WAN - Destinationicon_mad.gifxxxxxxxxx, 1026, WAN - 'Suspicious UDP Data'

Mon, 02/27/2006 17:31:00 - TCP connection dropped - Source:206.204.51.133, 8438, WAN - Destinationicon_mad.gifxxxxxxxx, 21, WAN - 'FTP-ctrl'

Mon, 02/27/2006 17:31:00 - TCP connection dropped - Source:206.204.51.133, 8443, WAN - Destinationicon_mad.gifxxxxxxxxxx, 22, WAN - 'SSH'

Mon, 02/27/2006 17:31:00 - TCP connection dropped - Source:206.204.51.133, 8448, WAN - Destinationicon_mad.gifxxxxxxxx, 23, WAN - 'Telnet'

Mon, 02/27/2006 17:31:00 - TCP connection dropped - Source:206.204.51.133, 8453, WAN - Destinationicon_mad.gifxxxxxxxxxxx, 25,
WAN - 'Possible Port Scan'

Mon, 02/27/2006 17:31:32 - UDP packet dropped - Source:206.204.51.133, 1622, WAN - Destinationicon_mad.gifxxxxxxxxxxx, 137, WAN - 'Suspicious UDP Data'

Mon, 02/27/2006 17:31:52 - TCP connection dropped -
Source:206.204.51.133, 3761, WAN - Destinationicon_mad.gifxxxxxxxxxx, 9873, WAN - 'TCP:Syn Flooding'

Mon, 02/27/2006 17:32:16 - TCP connection dropped - Source:206.204.51.133, 4947, WAN - Destinationicon_mad.gifxxxxxxxxxxx, 9989, WAN - 'TCP:Syn Flooding'

Mon, 02/27/2006 17:32:30 - UDP packet dropped - Source:222.134.45.50, 60316, WAN - Destinationicon_mad.gifxxxxxxxxxxx, 1027, WAN - 'Suspicious UDP Data'

Mon, 02/27/2006 17:33:32 - UDP packet dropped - Source:221.208.208.4, 47462, WAN - Destinationicon_mad.gifxxxxxxxxxx, 1027, WAN - 'Suspicious UDP Data'

Comments

  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Is there anything i can do about this.
    Um, disconnect from the Internet. icon_cry.gif

    Or hunt down every script kiddie in the world and beat them into a bloody pulp. icon_twisted.gif

    Or, the most likey answer -- no, unless it constantly and consistantly is one individual IP address, then maybe, just maybe, you could get your ISP to do something icon_lol.gif

    Otherwise, make sure your firewall is working -- which it looks like it is, and keep an eye on the firmware updates incase there is a fix for a security probem.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • determinedgermandeterminedgerman Member Posts: 168
    Just make sure that your firewall has those ports blocked. If you do not need them you should have all ports blocked that you don't use anyway.
    If you don't need them.

    Port 1025 for example is used for Microsofts Remote Procedure Call. If you don't need any of those services and you are just using the port 80 for http block all other traffic.

    Otherwise as long as your firewall works you will be fine. This is a pretty much regular picture. Someone is running a script against a bunch of ip addresses and your is one of them.

    Hope this helps...
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,323 Admin
    The vast majority of port scans occurring on the Internet are from automated tools (NMap, netcat, Nessus, Metasploit, etc.) that are simply scanning a range of IP addresses for whatever open systems they can find. The reason you are using a firewall in the first place is to keep these types of scans from penetrating into your private network.

    It's possible that someone is specifically targeting your IP to find a way into your network, but it's highly unlikely. You can't stop people from scanning hosts on the Internet, so don't take it personally.
  • Non-Profit TechieNon-Profit Techie Member Posts: 418
    thanks guys. Just seems to be alot of activity in the past few hours. Anyway, if this is normal and my firewall is working i guess your right, nothing to worry about. Man do i feel sorry for those people with no firewalls, lol.
  • rossonieri#1rossonieri#1 Member Posts: 799 ■■■□□□□□□□
    hello,
    i think JD was right - dont take it personally.
    but in case you find a huge attack sequence from the same source, you might want to do a traceroute.

    cheers.
    the More I know, that is more and More I dont know.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,323 Admin
    but in case you find a huge attack sequence from the same source, you might want to do a traceroute.
    All the attacker needs to do to thawrt tracert is to disable their ICMP echo response. I'd start with a reverse DNS lookup of the attacker's IP, but their IP is probably spoofed, or originating from a zombie, so that'd be useless too.

    Damn this IPv4 public network! icon_wink.gif
Sign In or Register to comment.