Firewall log, is this attack or?



  • Hello, i have a question about the security and my settings that i'm using in Pfsense.
    I'm only using it for 2 weeks, for now i think that i  understand most i'm doing but not for sure.

    When i look into my firewall log, i see like 100 different ip's trying to connect to my network in some hours time..
    At some point i see that in one minute various different hosts trying to connect on my ip using port 61504 UDP.
    When i lookup that hosts, i see they are from asia, but those are blocked by Pfblocker.

    Ports they trying to connect to:

    26782 UDP
    445 TCP:S
    1214 UDP <- also happens alot
    1214 TCP:S
    23 TCP:S
    1433 TCP:S
    137 UDP
    and some more

    One ip spammed the log also +- 50x from source port 37 to 169.254.255.255:137 UDP

    Since this night i got 400 logs like those above.

    I also have a mailserver in my network, all needed ports are open to that server, 25-143-993-465, also port 80 for webmail.
    I noticed that my mailserver blocked 6 hosts in the last weeks trying to login tho the webmail.

    I have no packets installed, only PFblocker with active lists:

    • top spammer
    • whole africa
    • whole Asia
    • I-blocklist spyware
    • I-blocklist hijacked
    • I-blocklist microsoft

    Do i need to do something?

    Sorry for bad english and thanks in advance.

    Stijn



  • Hi,

    cannot say much about the other ports but 169.254.x.x looks like APIPA addresses for hosts which did not get an address by DHCP.
    http://en.wikipedia.org/wiki/Link-local_address

    And if you are running a server with open ports for mail and http I think it is very common that you get many tries from bots on the internet which check for available services.



  • It's normally at random. If I pasted my blocked logged for just a couple minutes I'd have to use pastebin which even then their free limit might be reached. I normally do not monitor blocked traffic until I'm diagnosing an issue.


Locked