I am new to this forum. A big hello to all members. I setup and implement networks in residential properties as part of home control systems. I usually use Draytek routers (2830, 2850, 2860) and I also activate the inbuilt firewall features with email notifications for any attempt to attack the firewall. However, I am not sure how effective it is and what to look for. I am aware that some attacks are random but there are two properties that I monitor that have been receiving prolonged and regular attacks. I need to know; 1. How effective the firewall protection is? 2. Are the attackers actually getting through in some way? 3. Should I be concerned? The attacks come from various IP addresses and seem to be looking for a vulnerable port. The ports that are attacked are constantly changed. Here are samples of the type of thing that I have been receiving by email. 2016/10/31 17:27:51 -- [DOS][Block][trace_route][74.125.105.168:443->217.155.32.77:59528][UDP][HLen=20, TLen=30] 2016/10/24 14:46:55 -- [DOS][Block][trace_route][74.125.175.112:443->217.155.32.77:58617][UDP][HLen=20, TLen=30] 2016/10/24 13:56:07 -- [DOS][Block][tcp_flag, scanner=fin_wo_ack][192.168.1.21:52926->31.13.90.2:443][TCP][HLen=20, TLen=40, Flag=F, Seq=3375866459, Ack=0, Win=65535] If you want, I can find all the ports that they have tried and post them on here for reference. Thank you in advance.
All Internet-facing devices are scanned, probed, etc constantly. Just make sure that they're secured. For routers, it's best not to open any ports on WAN. But you probably need port 22. If you can secure access with a key, and/or by IP address, that would be prudent.
Salut, Connections from Google (inbound), and to Facebook (outbound) denied. Traceroute is weird, but normal noise. An attack ? 100 times UDP or TCP on the same port, or 1000 times ICMP to public IP.
Merci, The timing of the email notifications are slightly suspicious. This client is currently in the middle of a critical court case and he is worried that he is being 'hacked'. We have compared notes of the times and places that he is online and there seems to be a crossover with these firewall notifications. Is it possible that there is information getting though? Or is it that the messages are just saying that things are being blocked? It would make sense that he is the target for hacking. I am aware that the majority of the risk is on his computer but for the sake of helping my client, I need to be sure that I have done everything in my power with the firewall.
Thank you. There is only one port open on the router for a PBX system. These ports that are being probed are on the WAN side and from my understanding, the firewall will only allow the packet through if there was a traceroute from the LAN side (i.e. it's requested)? [I wasn't trained in networking, it's something I am picking up because of the crossover with my work] I would like to understand how that probing can be used to get through firewalls.
Traffic has been blocked. Traceroute does not pass through the router. Port 22, 53, 80, warning ! and no click on Facebook, Twitter, or a mailer...
I have just checked everything again. The only access is via LAN. The only ports open 5080-81 on WAN is directly to the PBX. All other access from the WAN is blocked. I think I have done what I can. Thanks for your help. Merci
