Firewall not blocking hacker IP

cjbujold

Checking this morning the pftop and noticed an IP that should not be connected.  Originally we had no rule opening port 5060, we have since added rules to block port 5060 and another rule to specifically block the incoming IP in question, yet this hacker from korea is still able to connect.  I even rebooted after implementing the rules and he is still getting connected.

How can I block him permanently.

Attached is an image from pftop and the second image is the rules I set up.

We are using:

2.0-RC1 (i386)
built on Sat Mar 12 01:18:33 EST 2011

stephenw10

This should be blocked by default.
It is likely that something inside your network is opening this.
Do you have upnp enabled?

Steve

Edit: port 5060 appears to be VOIP of some kind. Are you running something of that nature on thaat computer?

Alan87i

I had some aps on my WHS server that would call home and open a connection no matter what I tried . A couple different IP cams on the lan would call home as well.

cjbujold

The server 192.168.20.80 has been physically turned off and still getting this entry.

wallabybob

I believe you will see that entry until it times out. I on't know what the time out period is.

Whats WAN2R? Could the access be coming in over that interface?

tommyboy180

I wanted to chime in and bring up the IP-Blocklist package. You can put that IP in the black list and not worry about it hitting you ever again.
In fact there are several public lists that are maintained actively that contain hacker IP ranges and malicious ranges.

I would consider using this package if you need to black list IPs at the firewall level.

cmb

@wallabybob:

Whats WAN2R? Could the access be coming in over that interface?

it's either coming in there, or is outbound traffic. It's not coming in WAN with that ruleset.

wallabybob

@cmb:

@wallabybob:

Whats WAN2R? Could the access be coming in over that interface?

it's either coming in there, or is outbound traffic. It's not coming in WAN with that ruleset.

This raises the question for me: "How can one tell from the pftop output which party initiated the connection?"
For example, the posted pftop output says (in part):

PR   D   SRC                     DEST                 STATE   AGE    EXP
udp  I    115.144.181.36:5087      192.168.20.80:5060    2:2    1201   60
udp  O    115.144.181.36:5087      192.168.20.80:5060    2:2    1201   60

Should I read this as the SRC column giving the IP address which initiated the connection?
If so, then the displayed firewall state was created for a party on the internet not for a party on the LAN so it must have snuck around the firewall rule on WAN, either by coming on on a second interface connected to the interface OR its a stale display taken before the reboot after the firewall rule modification.

cjbujold

Thanks for all the help,  I installed the IP-Block and it seems to be gone.  Also I think it did time out after a while.  I will continue to monitor.  The Wanr2 is a second connection which also has the firewall rules applied to block him out.

Guest

I would also temporarily disable the port forward, and reset all states.