Getting Hammered



  • Just got my pfSense switch up and running this morning and turned on pfBlockerNG. In two hours I have seen over a thousand hits trying to scan port 22 alone all from China. Many thanks for the great work.



  • Thing about thanking these guys that connected from China.
    Every connection is a reminder that you should not (actually : never) open up ports so that they are accessible from the outside.
    If you need control over your pfSense from 'anywhere' else except LAN, use a VPN access.

    Before : they guys tried to login to your device, and you didn't noticed them.
    Now : the same thing happens, but you see them.

    Instead of putting a camera above your front door, to see who is trying to open it, just remove the door.



  • The only ports I have open are 25 and 443 for my mailserver. I was using a Unifi USG3P before the pfSense and never saw all these attacks. Nothing seemed to get through the USG but now I am seeing just how many there are. Mostly from Ukraine and China. Thanking the pfBlocker guys for the awesome job the software does.



  • I you liked the port-knocking on "22", have a look at what happens on your port "25" and "443", you'll be amazed.

    Normally, your mail server already has something like fail2ban and a rather huge setup to filter out fake connection, like temptation to relay, temptations to load your inbox with spams, etc.
    A (internal, on a LAN) web server (port 443) : same thing : a real hail storm.
    Not filtering these servers can put a real load on your servers.

    Btw : all these connections are practically never real 'people' trying to have access to your systems. They are scripts that try every IP from 1.1.1.1 to 254.254.254.254 and when done, they start over again. Every IP that accepted a connection will be dumped in a list This list is then used by a real human to see if he can enter with standard users like 'root', admin, etc and a list with most commonly used passwords. Even this last step is often fully automated.

    This concept is what's is called the "back ground noise" on the Internet.

    And, I have to say this to make things clear : I use a VPN service that has POP's in every country on the planet. If I planned a massif, global attack for every IP on earth, I would use a "chinese POP' of course ☺


  • LAYER 8 Global Moderator

    Seeing the "noise" on you wan has nothing to do with pfblocker.. Out of the box pfsense blocks all unsolicited traffic hitting your wan IP.. Other than what you have port forwarded.

    Yeah lots of noise to 22.. 23, 21 as well.. 1433, 8080, etc. etc. list goes on.. And more than likely a lot of UDP crap as well... I don't log the UDP noise.. just the tcp stuff - only reason to log it really is curiosity.. When that modem shit hit in DE, there were lots of hits to that port for example.

    pfblocker makes it easy to block say china from hitting your port forward port.. But out of the box you would see all this noise anyway. USG just makes it more difficult to see the noise is all.



  • @gertjan said in Getting Hammered:

    I you liked the port-knocking on "22", have a look at what happens on your port "25" and "443", you'll be amazed.

    Seeing a few on 443 and a couple on 25.

    Normally, your mail server already has something like fail2ban and a rather huge setup to filter out fake connection, like temptation to relay, temptations to load your inbox with spams, etc.
    A (internal, on a LAN) web server (port 443) : same thing : a real hail storm.
    Not filtering these servers can put a real load on your servers.

    It is a Exchange server and not set up for routing mails and any attempt to route through it just gets rejected. I also have a large set of rules to reject spam but wanted to use pfBlockerNG to block out spamming IP's. YEs exchange can do it but requires the Edge Server to do it. Dont want another VM running to to do IP filtering.

    I realise they are scripts trying as well on the ports rather than real humans.