Please advise have to worry about this?

Started by Julien, November 22, 2021, 10:53:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 22, 2021, 10:53:33 PM
Hi Guy,

i have configured the IDS, i havent seen any alert for long time.
today i was looking and found those two.

is this something i have to worry about it? change the alert to Drop?

Alert

Code Select
ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body

Thank you
DEC4240 – OPNsense Owner
November 23, 2021, 03:01:02 AM #1
Might be worth being somewhat concerned about.  Esp since it originated externally.  Looking up that IP doesn't show a lot of info, but it does look like it's hitting others IDS's as well. 
See OTX evaluation here - https://otx.alienvault.com/indicator/ip/180.188.248.230

If you are exposing port 80/443 to the internet I'd def be in IPS mode to block traffic.  You can always back it back down if you block legit traffic.  Harder to remove a bad actor if they make it in.  My gut feeling is it's just someone's script knocking on your web server's door to see if it's open.  But I can't say for sure with only an IDS entry.
November 23, 2021, 09:23:04 PM #2 Last Edit: November 23, 2021, 09:38:28 PM by Julien
Thank you for your answer.
we dont have port 80 expoesed to the net,i beleive only port is open which is redirect to the 443.
we are using  IPS mode and  Promiscuous mode.

this internal server is a ubuntu doing some webserver and has a fail2ban options enabled.

Today i checked the alerts again and there something similar.
DEC4240 – OPNsense Owner
Print
Go Up Pages1
User actions