Our office has a SonicWall TZ 170 firewall that is setup to send attempted attacks and regular event logs to my email address.
I routinely receive a dozen or so notices a day that seem relatively benign (unhandled packets and such). About 5 days ago, I began receiving emails by the hundreds a day! They are all as follows:
05/21/2007 08:35:28.464 - Probable port scan dropped -
67.185.175.xxx, 58610, WAN - 70.147.xxx.xxx, 32793, WAN - TCP scanned port list, 1275, 20329, 16091, 14817, 12963, 1233, 55485,
36531, 53375, 13247
The second IP address listed is our IP address. I don't recognize the first IP address, but it is always one of two different IP addresses. The port numbers change every time. Any idea what is causing this and why it just started recently?
It is entirely possible that some of the employees have installed new software on their machines, but I am positive that no one has recently altered the firewall settings (I have the only access, but have not used it in months).
I'm new to firewall's and servers so please bear with me. Thanks in advance for the help!
finetune what is being mailed to you (e.g.userlogins, system errors...), also I seem to remember that you can set it to "once a day" as opposed to every incident.
it's the address of the scanner
it's a port scan and you shouldn't worry about it.
I doubt your employees have anything to do with it
if this is your designated job, you should start to get into all these issues - and get your users under control.
IMO, if you are a network admin, you might want to do some research, reading and some classes to get enough under your belt so that you're answering questions here instead of asking them... no offense meant.... everyone had to start somewhere, right?
At any given time, there are multiple 'scans' going on over the net... some southeast asia pacific areas are heavily snooping the world, scanning every IP that they can, and even worse...
I would agree with mak, tailor your logs a bit and you'll probably not get as much 'noise' as you're getting... btw, you can't do much about external scans unless they impede your ability to surf or conduct business....
IMO, if you are a network admin, you might want to do some research, reading and some classes to get enough under your belt so that you're answering questions here instead of asking them... no offense meant.... everyone had to start somewhere, right?
At any given time, there are multiple 'scans' going on over the net... some southeast asia pacific areas are heavily snooping the world, scanning every IP that they can, and even worse...
I would agree with mak, tailor your logs a bit and you'll probably not get as much 'noise' as you're getting... btw, you can't do much about external scans unless they impede your ability to surf or conduct business....
The "firewall" worked. Now, why are you wasting time pursuing the matter? Do you think there is an Internet Police that will go to the house where the packets came from, and kick the owner into the slammer?
67.185.175.xxx is comcast - ARIN says "SPOKANE-7", but an address in that range looks more like Northeastern Oregon. 70.147.xxx.xxx (your headers say 70.147.172.151) is a BellSouth address in the Montgomery, Alabama area. Looks quite normal for windoze zombie box looking for a playmate. You _could_ complain to snipped-for-privacy@comcast.net, but my experience is that an auto-ignore-bot will return an acknowledgement of your mail, and toss it into the bit-bucket. Is there any particular reason you need to allow connections from a residential host 2000 miles away?
1118 Hitchhikers guide to the Internet. E. Krol. September 1989. (Format: TXT=62757 bytes) (Status: INFORMATIONAL)
1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991. (Format: TXT=65494 bytes) (Status: INFORMATIONAL)
Two RFCs - the search engine you are posting from should find copies in a few seconds if you look for 'RFC1118' and 'RFC1180'.
Hard to say on such limited information - may well just be your turn in the barrel. Most of us don't even bother logging such Internet noise. It got dropped/blocked - ignore it.
And the reason you allow your employees to install unknown software on company owned computers is what exactly?
Someone may have installed some malware, or a VOIP service, or be surfing pr0n sites (especially if you've given them administrative rights because it's to hard to configure the computers in a sane manner otherwise), but the fact that it's a single _remote_ port at any given scan coming to multiple (seemingly random) local ports suggests the scans were initiated from the remote site.
If you allow your users to install anything on company systems, and don't know what a port scan is and why it may occur, you are going to be having a horrible time playing catch-up. You may wish to check with your local educational establishments and see if any are offering continuing education classes in computer networks. Ignore the official microsoft classes, as much of the material in them are (at the very least) mis-interpreted, and often flat-out wrong. In spite of the fairy tales in the microsoft advertisements, they could not care less if you go out of business because of security lapses on their part, because you waived _all_ legal rights when you installed their software.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.