ESET firewall has been reporting daily port scans from 58.218.199.147,
58.218.199.250 and at least two other IP's all related to CHINANET, Beijing, for a month or so.What is going on here? Is this happening to anyone else in comp.security.firewalls, and is this an exploit I should be concerned about?
Thanks,
riserman
"riserman" escribió en el mensaje de noticias:4ff1e8bc$0$11512$ snipped-for-privacy@cv.net...
If you search in Google you´ll find many posts in forums complaining about intrusion attemps from that IP, since 2010 until now.
Saludos,
-- Sr Peabody
Thanks Sr Peabody, but I'm aware of all the complaints. What I really want to know is who is conducting the port scanning and what is their
*ultimate* purpose? What do they do after finding an open port?riserman
Why port scanning? uh... one of the most popular reconnaissance techniques attackers use to discover services they can break into, and all that hackers stuff.
Who is conducting it? who knows, possibly a script kiddie, or even the PLA (People's Liberation Army) cyberwarfare division :)
You´re not alone, i.e. take a look on posts of this page:
Saludos,
If you have an out-dated O/S, or have crap open to the world - perhaps. Otherwise, why care. They aren't getting in to your computer, so why are you wasting time worrying about it?
If you search in Google, you'll find millions of posts about port scans since the 1990s. What's new?
Depends - some are looking for open proxy servers, while some are looking for systems to convert into zombies that they can use to conduct port scans or run spam or virus/trojan servers.
or the schools where they are training them. So? What are you going to do if you find out who they are - call the police? Wag your finger at them and say "BAD Boy" or "BAD Girl"? Oh, that will make them stop.
Fix your toy computer so that it's not running unneeded services. For a home user, that usually means NO network services. Your computer has a tool to show what services are open/running. Use it, and find out what is running. If nothing is open, no one is getting in - a firewall isn't needed when there is no door to open.
If you're worried about blocking systems in China, you've got your work cut out for you. As of two weeks ago, China had 3879 networks containing 330342508 IPv4 addresses, ranging from 1.0.1.1 to
223.255.253.254 - and that's ignoring Taiwan, Hong Kong, and Macau. But then, there are 3114348564 _other_ IP addresses in 113381 _other_ networks in 230 _other_ countries in the world - shouldn't you be blocking them as well? Hmmm, maybe a better idea is to allow those you want to, and ignore/block those not allowed.Old guy
Where did these numbers come from?
riserman
Which? Numbers of Chinese networks and hosts? APNIC, ARIN and RIPE statistics files, published nightly. I only bother grabbing a copy monthly on the 15th. Other countries? There is AfriNIC and LACNIC as well as the first three. If you need them, you'd be looking for "RIR Statistics" files where RIR means Regional Internet Registry. I haven't seen the data offered by the RIRs as a web page, but they're on the five RIR FTP servers. Examples of the source filenames would be
delegated-afrinic-20120615 delegated-apnic-20120615 delegated-arin-20120615 delegated-lacnic-20120615 delegated-ripencc-20120615
but they're rather boring and useless if you're not in the trade.
apnic|AU|ipv4|1.0.0.0|256|20110811|assigned apnic|CN|ipv4|1.0.1.0|256|20110414|allocated apnic|CN|ipv4|1.0.2.0|512|20110414|allocated apnic|AU|ipv4|1.0.4.0|1024|20110412|allocated apnic|CN|ipv4|1.0.8.0|2048|20110412|allocated apnic|JP|ipv4|1.0.16.0|4096|20110412|allocated
First field in name of RIR, second field is country (know your ISO3166 country codes?), third field is data type (here, IPv4), fourth is the network address, fifth is size, sixth is date assigned/allocated, and last field is whether the block is assigned to a "final user" or allocated for further sub-assignment or sub-allocation, often by a national or local internet registry. The IPv6 data is even more useless because the smallest data block refers to a /64 which is 2^64 or 18446744073709551616 addresses. IPv6 lines look like
apnic|JP|ipv6|2001:200::|35|19990813|allocated apnic|JP|ipv6|2001:200:2000::|35|20030423|allocated
fields as above except the size field is the mask width - the "35" means a mask of ffff:ffff:e000:0000:0000:0000:0000:0000 and that means a total of 9903520314283042199192993792 addresses in the block. Takes a little data manipulation to get these files into something usable, as there's around 182000 lines of text to parse in the five files. Oh, and the big bugaboo - the country code is where the netblock is _registered_ in, not where the individual hosts are physically located. Company I work for has corporate offices in New York state, but I'm in Arizona, and the company being multi-national has facilities in 40+ countries on seven continents. So, are we all to be considered New Yorkers? The RIRs would seem to say yes.
Old guy
# China IP blocks: # List of ip blocks allocated and assigned directly by RIRs to ISPs # and other large companies in the country of China # This file is based on data collected on Thu Jan 31 07:03:40 PST
2008other countries:
Please _RE-READ_ what I posted:
]] As of two weeks ago,
which was from 03 July, 2012 (meaning data from 15 June, 2012)
]] China had 3879 networks containing 330342508 ]] IPv4 addresses, ranging from 1.0.1.1 to 223.255.253.254 - and ]] that's ignoring Taiwan, Hong Kong, and Macau.
That's over FOUR YEARS NINE MONTHS OUT OF DATE. On January 31, 2008, there were 84451 allocations and assignments world-wide, totaling
2575807388 (2.58e9) IPv4 addresses. On December 31, 2011, those numbers had increased to 113278 allocations/assignments and 3402331040 (3.40e9) IPv4 addresses. On October 15, 2012 it was up to 120276 and 3471537408 (3.47e9). Things can change rather significantly in time, and data nearly five years old is not very useful.You list 650 address ranges out of 3527 ranges they had allocated or assigned on October 15, 2012. Notice that's a different number from what they had 15 June.
[fermi ~]$ zgrep CN RIPE.gz CN 91.196.232.0 255.255.252.0 assigned 20070704 ri CN 91.234.36.0 255.255.255.0 assigned 20111222 ri [fermi ~]$ zgrep CN ARIN.gz CN 199.59.240.0 255.255.252.0 allocated 20101209 ar [fermi ~]$ zgrep CN APNIC.gz | cut -d' ' -f2 | cut -d'.' -f1 | sort -n | uniq -c | column 59 1 152 103 29 120 7 157 17 183 17 14 23 106 49 121 1 159 2 192 32 27 42 110 37 122 1 161 556 202 25 36 34 111 50 123 1 162 968 203 10 39 21 112 72 124 6 163 78 210 90 42 44 113 40 125 1 166 45 211 17 49 30 114 1 134 1 167 73 218 45 58 28 115 16 139 1 168 42 219 34 59 56 116 13 140 12 171 17 220 38 60 38 117 6 144 20 175 64 221 89 61 47 118 7 150 36 180 64 222 75 101 77 119 7 153 29 182 32 223 [fermi ~]$That shows the number of blocks in each /8 from APNIC - 59 in 1.x.x.x,
17 in 14.x.x.x and so on. Note, 45 in 58.x.x.x (you list 17), 34 in 59.x.x.x (you list 11), and 968 in 203.x.x.x (you list 69).Old guy
Could you summarize this into a shorter list? In other words what ranges exactly should one block?
Same range you were told to block back in early 2007 when you asked.
Block 0.0.0.0/0 Allow 127.0.0.1
If you've got IPv6 (most home users don't), you also want to
Block 0::/0 Allow 0::1
Quite simple, actually. Just two rules to block all 3530 IPv4 nets in China, and the 220 IPv6 ones too (never mind the 1030 nets in Hong Kong, 27 in Macau and 575 in Taiwan)! You might want to "Allow" a few other addresses, but that can be risky.
Old guy
Moe Trin wrote: ...
I guess it is nice to be remembered, even by another old guy.
mmmm, that feels like it would block everything - I'm not THAT curmudgeony.
the computer rarely forgets
So you've removed the locks on your house to allow anyone in at any time? Do you also tape your car keys to the driver's window so anyone can use the car at any time you're not using it?
Most people don't intentionally offer services to everyone in the world. I limit access to my systems to a /22 and two /24s "outside" (a total of 1530 addresses) because I can't see any reason to allow connections from you or anyone else that I haven't approved in advance, and I really don't expect authorized users to be connecting from Kazakhstan, Kenya, Kiribati, Korea, Kuwait or Kyrgyzstan and a lot of other places either. Lest someone from those countries object, I also don't allow access from nearly all ISPs in the rest of the world Not expected == not allowed.
Blocking access FROM the world does not mean blocking your access TO the world - subtle difference, no?
Most people ignore the existence of the Linux Documentation Project, must less the 453 "HOWTO" documents and 46 guides, because they have words in them, and you have to _read_ those words to gain knowledge. Consequently, the documents aren't being updated as they once were. But see if you can find a copy of
85507 Aug 20 2001 Firewall-HOWTO 42743 Nov 24 2001 Firewall-Piercing 203891 Sep 29 2004 NET3-4-HOWTO 155096 Jan 23 2004 Security-HOWTO 278012 Jul 23 2002 Security-Quickstart-HOWTOThe last one is particularly useful. The commands have changed in
7-10 years, but not the concepts.Old guy
And I asked for "short". I manage a SonicWall firewall with 5 static IP hiding two video servers, two video mixers, and a half dozen video editing and scheduling computers. Only the servers are Linux. Yet we have remote access so I can control the servers from anywhere. So I don't want to block the world.
The short answer is "you can't do so". There are a couple of problems with IP filtering to _block_ access by country.
the adjacent block is assigned to one of 36 other countries. That output shows how many networks of each size exist in China - ten /10s (36.128.0.0 - 36.191.255.255, 39.128.0.0 - 39.191.255.255, 59.192.0.0,
111.0.0.0, 112.0.0.0, 116.128.0.0, 117.128.0.0, 120.192.0.0, 183.0.0.0 and 183.192.0.0) nineteen /11s, fifty-one /12s, and so on down to 737 /24s, and as initially mentioned, they are scattered over the IPv4 address space from 1.0.1.0 to 223.255.253.255. Got a shotgun?So, if you want to block China ALONE, you have about 2500 address ranges to block. If you don't want to use that many, you can use wider blocks, such as a /8 - China is only in 60 of those 222 blocks. You're going to have co-lateral damage, by blocking others at the same time, such as 1.x.x.x/8 which blocks AU, CN, HK, IN, JP, KR, MY, PH, TH, TW and VN. Some other /8s have more countries, some less.
If customers have to access things, get a separate firewall. If access is limited to employees only, use better access controls. Are you trying to combat skript kiddiez who attempt to log in to your servers by trying "root" and a hundred thousand different passwords one after another? Use one of the "shoot yourself in the a$$" anti-intrusion programs, like 'BlockHosts', 'DenyHosts', 'fail2ban', 'sshguard' or similar but set the block times to ten minutes or less - that's enough to deter the skript kiddiez, and only blocks legitimate users for that long if they repeatedly screw up. A much better solution is strong encryption and authentication. Creating "outside" accounts that are isolated from internal (email) account names is desirable. Teaching your users to create/use "good" passwords (non-dictionary, mixed characters/case) helps, and you can use a brute-force password cracker like 'John-the-ripper' to detect lapses. If worried about one IP address, or a small range of addresses, use a 'whois' client/tool
[fermi ~]$ whatis whois whois (1) - client for the whois service [fermi ~]$to identify the assigned network, and block that, BUT be aware of possible co-lateral damage, and performance degradation.
Do you travel the world WITHOUT advance notice? I normally have at least two days to prepare - more than that if I need to get a visa. Your best bet would be dynamic usernames and passwords - they are used just once then become invalid to prevent the bad guys from gaining access through packet sniffing or shoulder surfing. At one time, it was thought good practice to move the server port to a non-standard value, but many systems have _OUTBOUND_ filters to block access to all but a few well-known (standard) ports to avoid nasty things, and that can block your access from those sites. Best to depend on one-time authentication, and strong encryption.
Then you have to live with it.
Old guy
"meagain" escribió en el mensaje de noticias:k9m2i0$ug5$ snipped-for-privacy@dont-email.me... [snip]
Errr, Sonicwall has a Geo-IP filtering service in 5.8.1.0 firmware release and newers. Maybe it can help.
Saludos,
-- Sr Peabody
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.