Modem logs showing many attacks.

Modem setup, reviews and questions (All brands, including wireless modems)
Post Reply
BigPete
Posts: 32
Joined: Wed Jan 05, 2011 2:49 pm
Location: Hunter Valley - N.S.W.

Modem logs showing many attacks.

Post by BigPete » Sat Dec 24, 2011 10:12 am

HI.

After setting up the new modem i turned on the logging and i'm seeing many attacks from different ip address, i've traced some from china & turkey so far.

Question is should i worry & how to stop them, i have the firewall on the modem & on all rigs running.

See below one of many, i've taken out my ip.

Any advice / help.

Dec 24 09:42:06 user alert kernel: Intrusion -> IN=ppp_8_35_1 OUT= MAC= SRC=186.121.50.125 DST=***.**.**.*** LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=26645 DF PROTO=TCP SPT=2270 DPT=23 WINDOW=5840 RES=0x00 SYN

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Modem logs showing many attacks.

Post by Dazzled » Sat Dec 24, 2011 11:04 am

Pete, that is the typically terse format used for logging by the Linux built-in firewall, iptables. If you change the log level, the messages become more frequent - Linux likes to log everything. Your modem is actually an embedded Linux computer.

That report quoted concerned a 60 byte packet sent from someone in Colombia attempting to get a TCP protocol response from port 23, which is used by the telnet modem interface. Iptables has ignored the packet completely and logged the attempt for your later inspection. If the port had been active, the next packets would be an attempt take external control of the modem for some malicious purpose, such as stealing your VoIP password. The modem has file transfer utilities so that firmware and configs can be saved or loaded.

I get one of these probes about every 15 minutes. Most are looking to exploit the several weaknesses of MS Windows, eg port 445 or port 1433. Telnet attack isn't as common, but it is increasing, so keep external access disabled except when necessary, and in that case use a strong password. From time to time you may experience a detailed port scan, but if you keep the modem properly configured you are safe - it won't reply at all.

Geek alert:
Iptables is somewhat cryptic, not easy to learn, but extremely powerful. It also runs NAT in your router. There is a chapter about it at http://www.linuxhomenetworking.com/wiki ... ewall_Logs. If you enter the modem from the internal telnet interface, you can display all the iptables rules with the typed command iptables -L. Typically inward packets will be ignored unless replying to registered and tracked requests from within your LAN. The rules are exercised one after the other - if a packet is not accepted, the next rule is applied. The main rule found is:
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
followed by the logging rule for packets that failed to be accepted:
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 6/hour burst 5 LOG level
followed by the byte bucket:
DROP all -- anywhere anywhere

BigPete
Posts: 32
Joined: Wed Jan 05, 2011 2:49 pm
Location: Hunter Valley - N.S.W.

Re: Modem logs showing many attacks.

Post by BigPete » Sat Dec 24, 2011 12:51 pm

Hi Dazzled.

Thanks for the info, i wasn't sure if they had got in or not it's good that the firewall is working, this bit had me worried ( alert kernel: Intrusion ) is why i asked.

I don't use winblows haven't for years, linux is much cheaper :D & does what i need without the viruses, I've disabled the telnet services in the modem

since i don't use voip anyway. Only used skype in the past sometimes it's not installed a.t.m. since i did an O.S upgrade on this rig.

These are the only services running now ICMP / HTTP / SNMP i did a search on them & they seen to be needed so i left them be.

thanks again.

pete.

Dazzled
Volunteer Site Admin
Posts: 6003
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Modem logs showing many attacks.

Post by Dazzled » Sat Dec 24, 2011 1:43 pm

It's just the modem doing its job. The Colombian who bothered you is probably an infected Windows box doing the will of its master.

BigPete
Posts: 32
Joined: Wed Jan 05, 2011 2:49 pm
Location: Hunter Valley - N.S.W.

Re: Modem logs showing many attacks.

Post by BigPete » Sat Dec 24, 2011 2:25 pm

Dazzled wrote:It's just the modem doing its job. The Colombian who bothered you is probably an infected Windows box doing the will of its master.

Hi.

Those pesky little hack attempts have all stopped now, me so happy. :mrgreen:

ps : that i know about :oops:

edit / well i just looked & there still trying the telnet ports even thou i've disabled it, go figure. :roll:

pete.

Post Reply