OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: zimmo on April 25, 2018, 10:26:01 am
-
Hi Guys,
I have a OPNsense firewall installed on hyper-v on a server at Hetzner. Hetzner monitors Network activity from the servers.
This morning i got this message regarding the OPNsense unit:
#################
Dear Mr XXX,
We have indications that there was an attack from your server.
Please take all necessary measures to avoid this in the future and to solve the issue.
We also request that you send a short response to us. This response should contain information about how this could have happened and what you intend to do about it........
##################
The Log with my ip changed:
##########################################################################
# Netscan detected from host 138.111.111.111 #
##########################################################################
time protocol src_ip src_port dest_ip dest_port
---------------------------------------------------------------------------
Tue Apr 24 23:59:23 2018 TCP 138.111.111.111 3233 => 45.125.4.9 222
Tue Apr 24 23:59:24 2018 TCP 138.111.111.111 3233 => 45.125.4.9 222
Tue Apr 24 23:59:26 2018 TCP 138.111.111.111 3233 => 45.125.4.9 222
Tue Apr 24 23:59:30 2018 TCP 138.111.111.111 3233 => 45.125.4.9 222
Tue Apr 24 23:58:36 2018 TCP 138.111.111.111 48708 => 45.125.4.118 222
Tue Apr 24 23:58:37 2018 TCP 138.111.111.111 48708 => 45.125.4.118 222
Tue Apr 24 23:58:39 2018 TCP 138.111.111.111 48708 => 45.125.4.118 222
Tue Apr 24 23:58:43 2018 TCP 138.111.111.111 48708 => 45.125.4.118 222
Tue Apr 24 23:59:27 2018 TCP 138.111.111.111 6487 => 45.125.4.157 222
Tue Apr 24 23:59:28 2018 TCP 138.111.111.111 6487 => 45.125.4.157 222
Tue Apr 24 23:59:30 2018 TCP 138.111.111.111 6487 => 45.125.4.157 222
Tue Apr 24 23:59:35 2018 TCP 138.111.111.111 6487 => 45.125.4.157 222
Tue Apr 24 23:59:17 2018 TCP 138.111.111.111 54008 => 45.125.5.128 222
Tue Apr 24 23:59:18 2018 TCP 138.111.111.111 54008 => 45.125.5.128 222
Tue Apr 24 23:59:20 2018 TCP 138.111.111.111 54008 => 45.125.5.128 222
Tue Apr 24 23:59:24 2018 TCP 138.111.111.111 54008 => 45.125.5.128 222
Tue Apr 24 23:58:31 2018 TCP 138.111.111.111 46869 => 45.125.7.49 222
Tue Apr 24 23:58:32 2018 TCP 138.111.111.111 46869 => 45.125.7.49 222
Tue Apr 24 23:58:34 2018 TCP 138.111.111.111 46869 => 45.125.7.49 222
Tue Apr 24 23:58:39 2018 TCP 138.111.111.111 46869 => 45.125.7.49 222
Tue Apr 24 23:58:42 2018 TCP 138.111.111.111 52066 => 45.125.7.206 222
Tue Apr 24 23:58:43 2018 TCP 138.111.111.111 52066 => 45.125.7.206 222
Tue Apr 24 23:58:45 2018 TCP 138.111.111.111 52066 => 45.125.7.206 222
Tue Apr 24 23:58:49 2018 TCP 138.111.111.111 52066 => 45.125.7.206 222
Tue Apr 24 23:59:47 2018 TCP 138.111.111.111 39996 => 45.125.7.232 222
Tue Apr 24 23:59:48 2018 TCP 138.111.111.111 39996 => 45.125.7.232 222
Tue Apr 24 23:59:50 2018 TCP 138.111.111.111 39996 => 45.125.7.232 222
Tue Apr 24 23:59:54 2018 TCP 138.111.111.111 39996 => 45.125.7.232 222
Tue Apr 24 23:58:28 2018 TCP 138.111.111.111 23450 => 67.230.184.63 222
Tue Apr 24 23:58:29 2018 TCP 138.111.111.111 23450 => 67.230.184.63 222
Tue Apr 24 23:58:31 2018 TCP 138.111.111.111 23450 => 67.230.184.63 222
Tue Apr 24 23:58:36 2018 TCP 138.111.111.111 23450 => 67.230.184.63 222
Tue Apr 24 23:59:23 2018 TCP 138.111.111.111 43116 => 69.49.176.86 222
Tue Apr 24 23:59:24 2018 TCP 138.111.111.111 43116 => 69.49.176.86 222
Tue Apr 24 23:59:26 2018 TCP 138.111.111.111 43116 => 69.49.176.86 222
Tue Apr 24 23:59:30 2018 TCP 138.111.111.111 43116 => 69.49.176.86 222
Wed Apr 25 00:00:01 2018 TCP 138.111.111.111 19270 => 69.49.177.61 222
Wed Apr 25 00:00:02 2018 TCP 138.111.111.111 19270 => 69.49.177.61 222
Wed Apr 25 00:00:04 2018 TCP 138.111.111.111 19270 => 69.49.177.61 222
Tue Apr 24 23:58:16 2018 TCP 138.111.111.111 55761 => 69.49.178.83 222
Tue Apr 24 23:58:17 2018 TCP 138.111.111.111 55761 => 69.49.178.83 222
Tue Apr 24 23:58:19 2018 TCP 138.111.111.111 55761 => 69.49.178.83 222
Tue Apr 24 23:58:23 2018 TCP 138.111.111.111 55761 => 69.49.178.83 222
Tue Apr 24 23:59:55 2018 TCP 138.111.111.111 46428 => 69.49.179.246 222
Tue Apr 24 23:59:56 2018 TCP 138.111.111.111 46428 => 69.49.179.246 222
Tue Apr 24 23:59:58 2018 TCP 138.111.111.111 46428 => 69.49.179.246 222
Wed Apr 25 00:00:02 2018 TCP 138.111.111.111 46428 => 69.49.179.246 222
Tue Apr 24 23:59:38 2018 TCP 138.111.111.111 26090 => 69.49.182.195 222
Tue Apr 24 23:59:39 2018 TCP 138.111.111.111 26090 => 69.49.182.195 222
Tue Apr 24 23:59:41 2018 TCP 138.111.111.111 26090 => 69.49.182.195 222
Tue Apr 24 23:59:45 2018 TCP 138.111.111.111 26090 => 69.49.182.195 222
Tue Apr 24 23:58:41 2018 TCP 138.111.111.111 65145 => 69.49.182.220 222
Tue Apr 24 23:58:42 2018 TCP 138.111.111.111 65145 => 69.49.182.220 222
Tue Apr 24 23:58:44 2018 TCP 138.111.111.111 65145 => 69.49.182.220 222
Tue Apr 24 23:58:48 2018 TCP 138.111.111.111 65145 => 69.49.182.220 222
Tue Apr 24 23:58:54 2018 TCP 138.111.111.111 41932 => 69.49.183.236 222
Tue Apr 24 23:58:56 2018 TCP 138.111.111.111 41932 => 69.49.183.236 222
Tue Apr 24 23:59:00 2018 TCP 138.111.111.111 41932 => 69.49.183.236 222
Tue Apr 24 23:58:46 2018 TCP 138.111.111.111 25570 => 70.37.224.179 222
Tue Apr 24 23:58:47 2018 TCP 138.111.111.111 25570 => 70.37.224.179 222
Tue Apr 24 23:58:49 2018 TCP 138.111.111.111 25570 => 70.37.224.179 222
Tue Apr 24 23:58:53 2018 TCP 138.111.111.111 25570 => 70.37.224.179 222
Tue Apr 24 23:59:01 2018 TCP 138.111.111.111 27554 => 70.37.226.11 222
Tue Apr 24 23:59:02 2018 TCP 138.111.111.111 27554 => 70.37.226.11 222
Tue Apr 24 23:59:04 2018 TCP 138.111.111.111 27554 => 70.37.226.11 222
Tue Apr 24 23:59:08 2018 TCP 138.111.111.111 27554 => 70.37.226.11 222
Tue Apr 24 23:58:34 2018 TCP 138.111.111.111 10035 => 70.37.231.70 222
Tue Apr 24 23:58:35 2018 TCP 138.111.111.111 10035 => 70.37.231.70 222
Tue Apr 24 23:58:37 2018 TCP 138.111.111.111 10035 => 70.37.231.70 222
Tue Apr 24 23:58:41 2018 TCP 138.111.111.111 10035 => 70.37.231.70 222
Tue Apr 24 23:59:21 2018 TCP 138.111.111.111 38398 => 70.37.231.156 222
Tue Apr 24 23:59:22 2018 TCP 138.111.111.111 38398 => 70.37.231.156 222
Tue Apr 24 23:59:24 2018 TCP 138.111.111.111 38398 => 70.37.231.156 222
Tue Apr 24 23:59:28 2018 TCP 138.111.111.111 38398 => 70.37.231.156 222
Tue Apr 24 23:58:30 2018 TCP 138.111.111.111 7300 => 70.37.233.47 222
Tue Apr 24 23:58:31 2018 TCP 138.111.111.111 7300 => 70.37.233.47 222
Tue Apr 24 23:58:33 2018 TCP 138.111.111.111 7300 => 70.37.233.47 222
Tue Apr 24 23:58:37 2018 TCP 138.111.111.111 7300 => 70.37.233.47 222
Tue Apr 24 23:58:37 2018 TCP 138.111.111.111 2946 => 70.37.233.69 222
Tue Apr 24 23:58:38 2018 TCP 138.111.111.111 2946 => 70.37.233.69 222
Tue Apr 24 23:58:44 2018 TCP 138.111.111.111 2946 => 70.37.233.69 222
Tue Apr 24 23:58:11 2018 TCP 138.111.111.111 9153 => 70.37.233.140 222
Tue Apr 24 23:58:45 2018 TCP 138.111.111.111 39610 => 70.37.234.191 222
Tue Apr 24 23:58:46 2018 TCP 138.111.111.111 39610 => 70.37.234.191 222
Tue Apr 24 23:58:48 2018 TCP 138.111.111.111 39610 => 70.37.234.191 222
Tue Apr 24 23:58:52 2018 TCP 138.111.111.111 39610 => 70.37.234.191 222
Wed Apr 25 00:00:06 2018 TCP 138.111.111.111 52263 => 70.37.235.195 222
Tue Apr 24 23:59:53 2018 TCP 138.111.111.111 60292 => 70.37.235.225 222
Full log attached.
############################
OPNsense Version:
OPNsense 17.7-amd64
FreeBSD 11.0-RELEASE-p11
OpenSSL 1.0.2l 25 May 2017
############################
I have no idea what it could be.
Behind OPNsense i have:
2 test Windows 2016 Servers, with very limited port open for RDP and Navision 2009 and 2016
1 fairly new Ubuntu running a web test environment.
###########################
Following Nat rules where set, not much:
LAN TCP * * LAN address
WAN TCP * * WAN address 8080 10.10.10.2 8080 NAV 8080
WAN TCP * * WAN address 49000 10.10.10.2 49000 NAV 49000
WAN TCP * * WAN address 7046 10.10.10.2 7046 NAV WAN 7046
WAN TCP * * WAN address 444 127.0.0.1 443 (HTTPS) 444
WAN TCP * * WAN address 80 (HTTP) 10.10.10.10 80 (HTTP) XXX http
WAN TCP * * WAN address 22 (SSH) 10.10.10.10 22 (SSH) XXX ssh
WAN TCP * * WAN address 443 (HTTPS) 10.10.10.10 443 (HTTPS) XXX https
WAN TCP * * WAN address 3389 (MS RDP) 10.10.10.12 3389 (MS RDP) XXX - RDP
WAN TCP * * WAN address 3390 10.10.10.2 3389 (MS RDP)
##############################
I am not sure what to make of it.
Note that the state table was full when i logged in the first time and the firewall was not very responsive. From OPNsense I could not ping the Google DNS and I could not check for updates.
I have done the following:
Made a floating firewall block rule:
IPv4 TCP/UDP * * * 222 * XXX-SECURITY
Done a reboot (After this i could ping Google DNS again).
Updated to OPNsense 18.1.6
############################
Should I do more?
Does anybody recognize the netscan, destination ip or anything?
Could it be the OPNsense system trying to do some faulty callback via an alternative SSH port(Or the ubuntu server behind it)?
I will be thankful for any constructive feedback. :)
Sorry if I am missing something obvious.
Best regards Zimmo.
-
You need to find out what tries to open port 222 via the box and / or where this request comes from if its not local (could be via your configured VPN if you have one).
Blocking the port will only buy you a little bit of time and trouble with Hetzner.
Cheers,
Franco
-
Hi Franco,
Thanks for your reply.
I have made a block-rule that writes to the log. I have not gotten anything in the log. So i can't track it yet.
I don't think i is from one of the machines on the "LAN" network. There is only 3 as described i my first post. I have no VPN to the router.
What i though is that the firewall went into an unwanted state where it does a call back of some sort. It look like it is doing SSH to a fixed list of servers. But i really don't know.
But now the router is updated so it will probably not happen again.
Best Regards
-
I see also that you are using RDP over the WAN which is really risky lately.
i would check the internal servers if they are patched and check the log of the RDP servers.
port 222 can be used for trojans and rsh-spx.
Configure VPN for the extern users in order to log in to the RDP server which is safer.