Firewall log, is this attack or?
-
Hello, i have a question about the security and my settings that i'm using in Pfsense.
I'm only using it for 2 weeks, for now i think that i understand most i'm doing but not for sure.When i look into my firewall log, i see like 100 different ip's trying to connect to my network in some hours time..
At some point i see that in one minute various different hosts trying to connect on my ip using port 61504 UDP.
When i lookup that hosts, i see they are from asia, but those are blocked by Pfblocker.Ports they trying to connect to:
26782 UDP
445 TCP:S
1214 UDP <- also happens alot
1214 TCP:S
23 TCP:S
1433 TCP:S
137 UDP
and some moreOne ip spammed the log also +- 50x from source port 37 to 169.254.255.255:137 UDP
Since this night i got 400 logs like those above.
I also have a mailserver in my network, all needed ports are open to that server, 25-143-993-465, also port 80 for webmail.
I noticed that my mailserver blocked 6 hosts in the last weeks trying to login tho the webmail.I have no packets installed, only PFblocker with active lists:
- top spammer
- whole africa
- whole Asia
- I-blocklist spyware
- I-blocklist hijacked
- I-blocklist microsoft
Do i need to do something?
Sorry for bad english and thanks in advance.
Stijn
-
Hi,
cannot say much about the other ports but 169.254.x.x looks like APIPA addresses for hosts which did not get an address by DHCP.
http://en.wikipedia.org/wiki/Link-local_addressAnd if you are running a server with open ports for mail and http I think it is very common that you get many tries from bots on the internet which check for available services.
-
It's normally at random. If I pasted my blocked logged for just a couple minutes I'd have to use pastebin which even then their free limit might be reached. I normally do not monitor blocked traffic until I'm diagnosing an issue.