Is this a Attack ?
-
Dear All,
lately i've seen alot of logs on the firewall from this ip 218.77.79.43
blockJan 18 01:29:40 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 218.77.79.43:57651 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:80 TCP:Sand
block Jan 18 01:45:56 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:46:20 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:46:49 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:47:54 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:47:58 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 192.168.2.254 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 224.0.0.1 IGMP block Jan 18 01:48:23 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:48:23 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:48:26 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:48:33 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:48:45 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:49:10 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDP block Jan 18 01:49:39 WAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 76.187.41.69:30792 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 10.10.10.1:6045 UDPany suggestions if this a kind of attack or not ?
-
https://www.google.ca/search?q=who+is+218.77.79.43&hl=en-US&gws_rd=cr,ssl&ei=Bgu7VJ6jOIWryATfg4KICA
It's an IP from China.
If you have any open Wan ports you should enter it in a firewall blocklist. -
Attack?? Its a few packets of udp noise.. Why your seeing it to rfc1918 address seems a bit strange.. Are you behind a double nat?
That is your typical noise, sure and the hell is not an attack.. Its already blocked - what are you worried about? Do you not want it logged? The internet is a wild wild west of packets, you will see all kinds of shit ;)
-
Attack?? Its a few packets of udp noise.. Why your seeing it to rfc1918 address seems a bit strange.. Are you behind a double nat?
That is your typical noise, sure and the hell is not an attack.. Its already blocked - what are you worried about? Do you not want it logged? The internet is a wild wild west of packets, you will see all kinds of shit ;)
thank you for your answer :) and about the kind of shit stuff ;)
yes i am behind double nat ,
ISP Modem >>>Pfsense>>>>Machines
i was worried but with your answer i am not anymore.
because i've seen on the internet the IP i mentioned was attacking alot sources on the internet.
because i am behind double nat its a normal behaivor that it logged on the RFC1918 ? -
Really, you don't need to worry to much about people banging at the doors as long as your pfsense is set up either plain default which is secure or otherwise configured properly.
I'd not ever get worried unless I say alot of unexplained outbound bandwidth being used.
I know people are just forever chewing on my vpn servers, presumably trying to get in.
As long as they are not having any success, I don't worry over it. Its bound to happen that people try. They are bored apparently.
-
The udp stuff is quite often just torrent noise, your ip was in a swarm maybe - etc.. I sometimes just setup a rule for udp so its not logged.
Here some hits to telnet.. So what its not open, firewall dropped it as it should.. Your going to see that all day long, all the time.. Unless its 1,000 or hundreds of thousands of packets a second who cares ;)
-
Really, you don't need to worry to much about people banging at the doors as long as your pfsense is set up either plain default which is secure or otherwise configured properly.
I'd not ever get worried unless I say alot of unexplained outbound bandwidth being used.
I know people are just forever chewing on my vpn servers, presumably trying to get in.
As long as they are not having any success, I don't worry over it. Its bound to happen that people try. They are bored apparently.
Thank you so much for your answer, i am trying to understand when they are succeced / if they are succeced.
the only behaivor i am gonna notice is a lot outbound bandwidth will be used.
i'll monitor that from time to time. -
Really, you don't need to worry to much about people banging at the doors as long as your pfsense is set up either plain default which is secure or otherwise configured properly.
I'd not ever get worried unless I say alot of unexplained outbound bandwidth being used.
I know people are just forever chewing on my vpn servers, presumably trying to get in.
As long as they are not having any success, I don't worry over it. Its bound to happen that people try. They are bored apparently.
Thank you so much for your answer, i am trying to understand when they are succeced / if they are succeced.
the only behaivor i am gonna notice is a lot outbound bandwidth will be used.
i'll monitor that from time to time.The udp stuff is quite often just torrent noise, your ip was in a swarm maybe - etc.. I sometimes just setup a rule for udp so its not logged.
Here some hits to telnet.. So what its not open, firewall dropped it as it should.. Your going to see that all day long, all the time.. Unless its 1,000 or hundreds of thousands of packets a second who cares ;)
thank you for your explain as always !
appreciate you guys ! -
" i am trying to understand when they are succeced / if they are succeced."
Are you logging passed traffic? Your not going to see anything in the logs if they get in ;) But default rule is BLOCK.. So unless you forwarded traffic - where are they going?
-
" i am trying to understand when they are succeced / if they are succeced."
Are you logging passed traffic? Your not going to see anything in the logs if they get in ;) But default rule is BLOCK.. So unless you forwarded traffic - where are they going?
yes i am logging the pass traffic,
i mean the pfsense has been hacked, is there is some behaivor i am supposed to notice ? -
I receive about 19 packets per second 24/7 of blocked traffic on my residential line. You're getting one every tens of seconds. You're very unlikely to get hacked if you block WAN traffic to your web interface. The administrative web server is the biggest liability by far.
The firewall itself is quite hardended. Anyone with the ability to "hack" the FreeBSD firewall will have much bigger targets to use their 0-day exploit on.
-
I receive about 19 packets per second 24/7 of blocked traffic on my residential line. You're getting one every tens of seconds. You're very unlikely to get hacked if you block WAN traffic to your web interface. The administrative web server is the biggest liability by far.
The firewall itself is quite hardended. Anyone with the ability to "hack" the FreeBSD firewall will have much bigger targets to use their 0-day exploit on.
my pfsense is not accessible over the WAN at all,
the only port is facing the WAN is the Openvpn port, others are drop/rejectthank you
