router security log

Discussion in 'Computer Security' started by p escobar, Jun 24, 2009.

  1. p escobar

    p escobar Guest

    hi

    i'm not particularly versed on the subject of network security, so
    forgive me if this is a naive question.

    my router's security log is constantly logging access attempts from
    other ip's. for example:

    2009/06/24 16:27:23 : Blocked access attempt from 80.101.213.247
    2009/06/24 16:27:12 : Blocked access attempt from 80.101.213.247
    2009/06/24 16:26:49 : Blocked access attempt from 86.136.178.26
    2009/06/24 16:26:04 : Blocked access attempt from 80.101.213.247
    2009/06/24 16:26:03 : Blocked access attempt from 86.136.178.26
    2009/06/24 16:25:57 : Blocked access attempt from 80.101.213.247
    2009/06/24 16:25:57 : Blocked access attempt from 86.136.178.26
    2009/06/24 16:25:54 : Blocked access attempt from 80.101.213.247
    2009/06/24 16:25:54 : Blocked access attempt from 86.136.178.26
    2009/06/24 16:25:53 : Blocked access attempt from 80.101.213.247
    2009/06/24 16:25:08 : Blocked access attempt from 86.136.178.26
    2009/06/24 16:25:04 : Blocked access attempt from 70.91.84.41
    2009/06/24 16:25:02 : Blocked access attempt from 86.136.178.26

    i've checked some of these out with nmap, and most appear to be regular
    users, not web servers. i assume this because a web server would have
    some typical ports available like ftp, ssh, http etc. example:

    sudo nmap -v -PN -O 80.101.213.247

    Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-06-24 17:31 CEST
    NSE: Loaded 0 scripts for scanning.
    Initiating Parallel DNS resolution of 1 host. at 17:31
    Completed Parallel DNS resolution of 1 host. at 17:31, 0.03s elapsed
    Initiating SYN Stealth Scan at 17:31
    Scanning a80-101-213-247.adsl.xs4all.nl (80.101.213.247) [1000 ports]
    Discovered open port 5060/tcp on 80.101.213.247
    Completed SYN Stealth Scan at 17:32, 27.02s elapsed (1000 total ports)
    Initiating OS detection (try #1) against a80-101-213-247.adsl.xs4all.nl
    (80.101.213.247)
    Retrying OS detection (try #2) against a80-101-213-247.adsl.xs4all.nl
    (80.101.213.247)
    WARNING: OS didn't match until try #2Host
    a80-101-213-247.adsl.xs4all.nl (80.101.213.247) is up (0.030s latency).
    Interesting ports on a80-101-213-247.adsl.xs4all.nl (80.101.213.247):
    Not shown: 998 filtered ports
    PORT STATE SERVICE
    5060/tcp open sip
    8089/tcp closed unknown
    Device type: general purpose
    Running: Linux 2.6.X
    OS details: Linux 2.6.5 - 2.6.19

    Read data files from: /usr/local/share/nmap
    OS detection performed. Please report any incorrect results at
    http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 31.07 seconds
    Raw packets sent: 2051 (94.096KB) | Rcvd: 36 (1984B)


    is this something i should worry about?

    thanks

    pablo
     
    p escobar, Jun 24, 2009
    #1
    1. Advertisements

  2. p escobar

    Todd H. Guest

    FYI: Scanning IP's you don't own can be legally tenuous.
    http or https, yes are normal for what would be web servers, but, not
    necessarily others though.

    And if you have adsl lines that you're looking at (as suggested by the
    hostnames of what you were looking at), it's likely that the traffic
    hiting you is because these poor folk are infected with bots or other
    nastyware. I agree with your conclusion that the sample you provided
    was mostl likely a regular end user.
    By virtue of being on the internet, you will get scanned and scanned a
    LOT. That your router is blocking these should be considered
    reassuring and exceedingly normal.
     
    Todd H., Jun 24, 2009
    #2
    1. Advertisements

  3. p escobar

    p escobar Guest

    none that are immediately detectable, afaik.
    sadly, my router's firewall doesn't give me any more information.
    apparently they are not succeeding.

    would you say these connection attempts are intentional or are they
    possibly random and insignificant?

    pablo
     
    p escobar, Jun 24, 2009
    #3
  4. p escobar

    p escobar Guest

    i'm aware of that. given that my intentions aren't malicious or harmful
    i'm not worried about that. and to be fair: they started it! hehe.
    thanks for the info, todd

    pablo
     
    p escobar, Jun 24, 2009
    #4
  5. p escobar

    p escobar Guest

    and there i thought nowadays hackers rely on nifty buffer overflow
    exploits and social engineering scams instead of trying to force their
    way in through the front door with an axe. that is not very ladylike.

    if one of the wankers does get in and somehow manages to compromise my
    web banking account i'd love to see the look of disappointment on his
    face when he sees my balance.

    pablo
     
    p escobar, Jun 25, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.