Incoming traffic filter

Discussion in 'Network Routers' started by Harley, Mar 31, 2010.

  1. Harley

    Harley Guest

    I have a Dlink DIR-655 that is installed ahead of a video router for a cable
    TV channel. I need to be able to telnet to it from only two outside IP
    addresses, but I keep getting video router logs full of jackasses from
    Russia, Turkey and many other places trying to hack into the video router
    thinking it's a computer. It makes it very hard to pick out the log's
    operational messages for the TV channel, and it makes the logs over a mb in
    size every month.

    I've tried to filter incoming IPs by denying whole class A ranges, but it's
    like motorboating in a strainer - they pop up faster than I can bail. I
    tried adding the two IPs I need as 'allowed' but that still leaves the whole
    world as not 'denyed'. Does anyone know a solution to denying all IP
    addresses and only allowing the two needed ones for access through the Dlink
    router?
     
    Harley, Mar 31, 2010
    #1
    1. Advertisements

  2. Harley

    atec7 7 Guest

    So can you do a block all then add two exceptions ?
     
    atec7 7, Apr 1, 2010
    #2
    1. Advertisements

  3. Harley

    Harley Guest

    I don't think so. I've been toying with the idea of deleting all the 'deny'
    IP ranges and just putting a few 'allow' numbers in the inbound filter list
    to see what would happen, but I think it would just open the floodgates to
    all the jackasses in the world to keep hammering all night long on my log
    files in a useless attempt to gain access to a device that isn't even a
    computer.

    Dlink hasn't been any help at all. I keep emailing back and forth to some
    camel jockey that to this day hasn't even hit on what my problem is, let
    alone how to fix it. Last email I had from them they changed the reply
    address so the email bounced.

    A friend of mine who is the IT Director for a major manufacturing company
    tells me he's got a closet full of Cisco routers that were changed out with
    the latest and greatest. They have the capability to 'deny all' and then
    'allow' only certain IP number through the firewall. He says I can have one
    for free. I'll probably go with that and give up on Dlink - permanently.
     
    Harley, Apr 17, 2010
    #3
  4. Harley

    Char Jackson Guest

    Who cares about the jackasses who hammer all night long? If it weren't
    for the log file, would you even notice? Just ignore it and move on
    with your life.
    Where do I sign up for a free Cisco router? :)
     
    Char Jackson, Apr 17, 2010
    #4
  5. Harley

    Harley Guest

    It's gets to be a physical storage problem when the log files grow by about
    4mb per night. The video router where these files are generated is limited
    in the size of the hard drive it uses to playback mpeg files. When the log
    files take up too much space the video switcher/router freezes up and stop
    working. So does the cable channel it operates.

    As for the 'free router' you have to know someone in the IS dept. at an
    international manufacturing company where they upgrade their equipment
    periodically to keep jackasses from filling up their security log files with
    bot-driven attemps to access servers that don't belong to them, and are none
    of their business to access.

    I've been researhing the James Bond documentary, "Goldeneye" in order to
    find out what mechanism Boris used to 'spike dem.'
     
    Harley, Apr 18, 2010
    #5
  6. Harley

    Bob K Guest

    I've been scratching my head over this one, since you should be able to
    control this!

    I finally took a look at the manual for the DIR-655. Unfortunately, I
    don't know what the video router is, so I don't know how much
    configuration you might be able to do with that.

    But, here are some thoughts -- that may, or may not help.

    First, if you were able to modify the telnet port the video router
    listens on, that would be a big plus!

    You have port forwarding available to you in the DIR-655. I assume you
    are using that to forward just the telnet port (port 23 I think) to the
    video router. Most of the hacking I see here usually is on port 80 --
    but there is some on telnet ports, also.

    If you could get the video router to listen for telnet connects on some
    other port, and just forward that port to it -- then you would have
    things under control. Most telnet clients let you specify any port you
    want. I use PuTTY, and I know it does.

    With port forwarding in the DIR-655, you can specify an inbound filter
    rule. Wouldn't this do exactly what you are looking for? I am seeing
    "Each rule can either ALLOW or DENY access from the WAN.", followed by
    "Up to eight ranges of WAN IP addresses can be controlled by each rule."

    It would seem that setting up port forwarding for telnet, with a rule
    for just your WAN IP addresses would do what you want.

    As a side note, I run a seldom used web server here. The number of
    hackers going after the port 80 were absurd. And my port 80 was being
    used in DoS attacks on other machines, in a way it would never show in
    logs. I changed the server to listen on a different port, and set up a
    port translation in my DYNDNS account. People can still connect to my
    with a standard URL, but any attempt to my IP address fails.

    When you get things so you think they are working right, go to
    http://grc.com and do a port scan on your system. That will tell you
    what ports you might still have open that are visible to the hackers --
    you want none. You want no visibility that you have a computer there!
    No response to pings, or any normally used ports.

    One router I had insisted on responding to one particular port --
    something to do with identification. I ended up port forwarding that
    post to a non-existent IP on my LAN. End of problem there!

    By all means, keep us all posted on how you make out, and how you
    finally solve the problem.

    ....Bob
     
    Bob K, Apr 18, 2010
    #6
  7. Harley

    Bob K Guest

    To add to my previous message. . .

    The DIR-655 also will do port translation. That is covered under the
    Virtual Server section of the manual.

    That would allow you to telnet in to your DIR-655 on some port know only
    to you (like 6000) and let the DIR-655 translate that to the port
    (probably 23) that the video router is listening on.

    Hackers attempting to use your port 23 could be sent to the never-never
    land, and all they would ever get is deafening silence.

    ....Bob
     
    Bob K, Apr 18, 2010
    #7
  8. Harley

    Char Jackson Guest

    There are so many options here, I barely know where to start. Generate
    the logs somewhere else, rather than on the same hard drive with your
    mpeg files. If they can't be generated elsewhere, (hard to believe),
    periodically move them elsewhere with a script. Tail the logs. Scrub
    the logs. The point I'm trying to make is if the logs are a problem,
    deal with the logs. Don't attack the problem by upgrading the
    hardware.
    Frankly, I can't believe there are IS departments incompetent enough
    to upgrade hardware to get around a logging issue. Congrats if you've
    found one. I don't blame you for not sharing their name.
     
    Char Jackson, Apr 18, 2010
    #8
  9. Harley

    Harley Guest

    The port forwarding and/or translation is something I've been thinking about
    trying. One restriction I face it that the video router (an MVP-2000) is not
    configurable with it's log file locations, port assignments, etc. It has one
    hard drive and everything goes in the same place. Trying to pick out video
    switching events from tons of access attempts makes the logs
    useless.Unfortunately the replacement technology for this device runs
    somewhere over $8,000.

    Another commentor had some negative comments about a large company that
    upgrades it's routers to the latest and greatest technology. I suggest if
    that person knew what kind of business they do, and how much of it, you
    would reserve your unhelpful comments. Even the cast-off older tech routers
    from this company will be massively more versatile than the consumer grade
    stuff you get at Best Buy. I'm hoping I can get my mitts on one.

    One of the limitations of the Dlink is that the inbound filter list fills up
    quickly, only allowing 24 entries. The gross limitation of the DIR-655 is
    that you can't 'deny all' and then 'allow' only the IP addresses you need. I
    don't get why they don't have a checkbox for 'deny all' and then allow
    according to inbound filtering rules. After all, that's what a firewall is
    supposed to do!

    Since the MVP-2000 only responds to the manufacturer's remote client
    software, which only looks on port 21 for ftp and port 23 for telnet, I'm
    unable to really do much with that. I can, however, manually change the
    MVP's internal IP address and subnet. I have reduced the log file abuse by
    filling up the inbound filter table, but even that doesn't work right. I've
    got a tech support issue that Dlink is currently dealing with, where some of
    the Class A IP ranges that are banned are still getting through the
    firewall. I'd say that's a flaw in their product!

    I'll be sure to post the results of both the tech support issue and if I'm
    able to devise a workaround to the port 21/23 issue.
     
    Harley, Apr 19, 2010
    #9
  10. Harley

    Bob K Guest

    OK, Harley. . .

    Let me do some guessing on how I would try. This may not work out --
    the documentation I am looking at may not be accurate for the hardware
    you have (boy, that happens a lot!), but on the other side of the coin,
    you have the hardware so you can experiment with it!

    Page 34 covers the port forwarding setup. You can specify either a
    port, or range of ports (or apparently a list). I would try 21, 23 and
    see if that gets accepted. If not, either 21-23, or make two entries --
    one for 21 and one for 23.

    I am guessing that the remote addresses you need to allow are for the
    manufacturer's remote client (not your application), so the port
    translation isn't going to help. You can't get them to play those games
    just for you!

    With the port forwarding, you can name a filter to use. I think (again,
    maybe wrong!) that if you set up a filter listing the two IP addresses
    that are OK, and specify ALLOW for those (I'm looking at page 42), that
    only traffic from those IP addresses should port forward to the MVP-2000.

    I don't know if you have any other things running that would require you
    to additionally do any other port forwarding. I'm going to assume not.

    One question I have, how is the inbound traffic (mostly from hackers)
    finding it's way to the MVP-2000 now? You must have something set up to
    direct inbound traffic to the video router. Normally connect requests
    coming in to a router get dropped unless it is told what to do with them.

    If the MVP-2000 is the end that originates the traffic, then maybe you
    don't need to do any inbound port forwarding. That is another ball
    game! Just like when your computer connects to web site, the replies
    come back to your computer.

    From what I have seen, your Dlink router has plenty of capability --
    assuming things work like the book says. Unfortunately, that isn't
    always the case :-(

    ....Bob
     
    Bob K, Apr 19, 2010
    #10
  11. Harley

    Char Jackson Guest

    That was probably me. I work for a Fortune 50 company which spends
    nearly a billion dollars a year on technology, mostly to serve a
    growing customer base. In my time with this company we have never, and
    I feel confident in saying we will never, upgrade a piece of hardware
    because we can't manage its log files. That's just silly.

    So while $8000 is a trivial amount for a business to spend on itself,
    it's still a waste of money if there are free ways to accomplish the
    same thing. That's all I'm saying. I meant that to be helpful, not
    unhelpful. Good luck, whatever you decide to do.
     
    Char Jackson, Apr 19, 2010
    #11
  12. Harley

    Harley Guest

    Sorry, sometimes when you put something in writing it comes out snotty. This
    company (not mine) is a big Fortune 50 company, with worldwide sales and
    manufacturing locations. They have a service contract of some kind with
    Cisco that they get the newest toys available as soon as they become
    available, before they even hit the street. But they aren't the one's with
    the log file problems.

    I operate a small town community access cable channel that has mostly no
    budget. (I would give you the web address I use to monitor the site, but
    that might just create more problems with people I don't even know, living
    in China, Turkey, Russia, etc.) The importance of keeping the hackers out of
    the log files is that the video switching events become useless when lost in
    thousands of entries by these idiots trying to telnet or ftp into the
    switching equipment. I'll certainly be trying some of these ideas in the
    next few days in the hope that it both solves the problem, and gives me some
    hands-on experience doing something that doesn't get done everyday.
     
    Harley, Apr 19, 2010
    #12
  13. Harley

    Harley Guest

    SUCCESS - by following the two-step proceedure you suggested I've been able
    to limit port forwarding to the IP addresses (or range of addresses)
    specified in an inbound rule. I was trying to deny all IP addresses, and
    then only allow the approved ones through the firewall. That wasn't working.
    The correct approach to limiting access to telnet and ftp was to make-up a
    named rule and subject the ports (21 and 23) that are used by the internal
    network device to that rule by setting those ports to 'allow.' By default
    all packets from other IP addresses get sent to the bit bucket. We haven't
    had even one unallowed access on those two ports since yesterday noon.

    Amazing how I'm still waiting for a response from the Dlink tech support
    people and the information I needed came from a person who doesn't even use
    the same equipment. To honor your help I've named the ftp/telnet access
    rule, "BobK." Thanks for your help!
     
    Harley, Apr 23, 2010
    #13
  14. Harley

    Bob K Guest

    Harley, thanks for the feedback!

    All too many times we offer possible suggestions, and never hear any
    more on how a situation was resolved.

    As I mentioned awhile back, when you get a chance, go to http://grc.com
    and run a scan for open ports on your system. Steve Gibson (author of
    Spinrite) has done a lot of work on computer security, and has a wealth
    of information available on securing systems. His 'Shields Up' scan (or
    whatever it's called) will let you know just how invisible your computer
    system is to hackers. You want the system to sit there, work 100% for
    what you want, and still not be available to people looking for a tool
    to do bad things.

    Somehow I think there is a failure in the documentation for things, like
    for your router, to put into some simple terms how to handle problems.
    Yes, the information is there -- but unless you can guess as to where to
    look, you might not find it! Companies all too often have people
    writing the documentation that have not used the product. Or, maybe
    written by the designer, that only sees it from one viewpoint.

    But, enough of a rant! Thanks again for letting us know how you made out.

    ....Bob
     
    Bob K, Apr 23, 2010
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.