Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » PortScan from IP:218.61.17.231
  •  
jslh

Messages: 45
Karma: 1
Send a private message to this user
Hi,

Today, when I checked my email, and shocked to see I have bunch (more than 80)of Security Alert from KWF stating that someone from IP 218.61.17.231 has been steadily performing an elevator port scan to it since yesterday evening!

I checked on the IP origin and is from Milton, Queensland, Australia.

I immediately created a rule called "BlackList" which contained this particular IP.

Name: BlackList (As defined in IP Address Group)
Source: BlakList
Destination: any
Service: any
action: drop. (initially was set to deny)
Log: matching
Map: None

However, after this, I still see message generated from "Alert" for being PortScan from the same source IP. Ok, rebooted the KWF.

After a while, still the same "Alert" coming in.

Fine, since it is Sunday, I decided to Shutdown the KWF and wait to tomorrow and see what is going to happen.

To seek for advise, am I doing the right thing by configuring as above?

Secondly, how do I configured the KWF to automatically to response to such persistent "PortScan" activity?

I do encountered such activities before but no one incident are as in this case, the PortScan are so consistent and persistent.

BTW, we are using a fixed public IP address.

Oh yeah, what is the consequences if the rule say "deny" instead of "drop"?

Thank you and regards.
  •  
jslh

Messages: 45
Karma: 1
Send a private message to this user
Hi, Last update.

A quick check with MaxMInd GeoIP.

Hostname: 218.61.17.231
Country Code: CN
Country: China
Region: 19
Region Name:Liaoning
City: Shenyang
Latitude: 41.7922
Longitude: 123.4328
IPS: CNCGROUP Liaoning province network
Organization: CNCGROUP Liaoning province network

Wow, this information is far away from ARIN WHOIS Database Search which I used it few hours ago!

NOw... China or Australia???? Mad
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
jslh wrote on Sun, 17 August 2008 07:14

<snap>

However, after this, I still see message generated from "Alert" for being PortScan from the same source IP.

<snap>

Oh yeah, what is the consequences if the rule say "deny" instead of "drop"?


Deny will report back to the sender with a 'deny message', drop will just silently drop the packets without informing the sender. Drop is the option to use in most circumstances.

Denying or dropping, the firewall is still receiving the packets and thus informing you of the portscan. Nothing you can do about that (besides turning of portscan detection entirely).
  •  
jslh

Messages: 45
Karma: 1
Send a private message to this user
Hi,

Thanks for the information of why Kerio still reporting in the 'Alert".

Interestingly, I read an article yesterday over here <_a.t_> http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-re ject it says "DROP should not normally be used". Twisted Evil

However, I do reckoned that nothing I could do further from avoiding such anymore. Just the finger and prey that KWF is strong enough to withstand any attack! Very Happy

Regards.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
jslh wrote on Mon, 18 August 2008 13:52

Interestingly, I read an article yesterday over here <_a.t_> http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-re ject it says "DROP should not normally be used"..

Nice little article. While true, it's conclusion
Quote:

DROP offers no effective barrier to hostile forces but can dramatically slow down applications run by legitimate users.

is based on the premise that you may adversely affect legitimate users. If that's not the case (because you're limiting the drop rule only to a specific IP of the attacker or to services not used at all anyway) then possibly affecting legitimate users is not relevant any more.

So your left with deny not affecting an attacker and drop possible slowing down the attacker a bit. Changes the conclusion, I'd say.

In the end: true, it does not make a big difference, so whatever you use, there no obvious wrong one.
Previous Topic: RD - Remote Desktop
Next Topic: I want to know what program is accessing the net, and accept or deny it
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 22:44:26 CEST 2017

Total time taken to generate the page: 0.00535 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.