• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

PF Intrusion attempt ?

dlegrand

Active Member

Thanks: 42
Messages: 151

#1
Dear FreeBSD users,

My home network is behind an old Zyxel router doing NAT to access the Internet.
I recently saw in my PF log the following lines :
Code:
16:20:58.878937 rule 0/0(match): block in on rl0: 125.64.94.208.57033 > 192.168.1.10.13215: UDP, length 0
16:20:58.878947 rule 0/0(match): block in on rl0: 125.64.94.208.57033 > 192.168.1.10.13215: UDP, length 0
16:20:58.879914 rule 0/0(match): block in on rl0: 125.64.94.208.57033 > 192.168.1.10.13215: UDP, length 0
The Internet NAT router is redirecting only tcp ports 7547,80,443 to my FreeBSD desktop machine (192.168.1.10), so I am surprised to see an attempt to connect to port 13215 which is normally not redirected. Also I don't remember having initiated a connection to this Web site.
This public IP 125.64.94.208 is from China. Do you think my router has been hacked ?
 

Eric A. Borisch

Well-Known Member

Thanks: 202
Messages: 312

#2
Have you been hacked? Signs point to no. (It was blocked, after all.) Is someone trying to hack you? If you are connected to the internet, yes.

Attackers scan for open ports constantly. Looks like there was a recent uptick in this port: https://isc.sans.edu/port.html?port=13215 , and the same IP has poked at me:

Code:
2018-01-23 03:12:08.899260 rule 13/0(match): block in on cable: (tos 0x0, ttl 231, id 54321, offset 0, flags [none], proto TCP (6), length 40)
    125.64.94.208.58377 > x.x.x.x.1001: Flags , cksum 0x02b1 (correct), seq 1275943910, win 65535, length 0
2018-01-24 04:17:16.838505 rule 10/0(match): block in on cable: (tos 0x0, ttl 231, id 54321, offset 0, flags [none], proto TCP (6), length 40)
    125.64.94.208.36893 > X.X.X.X.5007: Flags , cksum 0xd328 (correct), seq 1286000411, win 65535, length 0
2018-01-25 20:21:26.135456 rule 13/0(match): block in on cable: (tos 0x0, ttl 230, id 54321, offset 0, flags [none], proto TCP (6), length 40)
    125.64.94.208.43228 > x.x.x.x.8000: Flags , cksum 0x241e (correct), seq 913076208, win 65535, length 0
2018-01-26 01:57:17.846080 rule 10/0(match): block in on cable: (tos 0x0, ttl 230, id 54321, offset 0, flags [none], proto TCP (6), length 40)
    125.64.94.208.57525 > X.X.X.X.2222: Flags , cksum 0x9238 (correct), seq 2584378608, win 65535, length 0

I put unexpected connection attempts into a ~24-hour (rule 10) block-drop list. Sure looks like a slow-and-steady scanner.
 

Datapanic

Active Member

Thanks: 112
Messages: 209

#3
That IP hit me too:

Code:
Jan 25 06:58:19 gateway03 pf[768]: rule 29/0(match): pass in on em0: 125.64.94.208.55514 > xx.xx.xx.xx.1001: Flags , seq 2302889774, win 29200, options [mss 1460,sackOK,TS val 955675733 ecr 0,nop,wscale 7], length 0
Jan 25 07:02:06 gateway03 pf[768]: rule 19/0(match): block in on em0: 125.64.94.208.55514 > xx.xx.xx.xx.1001: Flags [.], ack 549391745, win 29200, length 0
I have some special antiscan pf rules that pick up on SYN connects and then add them to a table which blocks them to ANY port for 10 days. You can see the first line passes in their SYN request, and then pf picks it up and adds them to my dynamic "scanners" table and they are subsequently blocked on any port.
 

dlegrand

Active Member

Thanks: 42
Messages: 151

#4
Have you been hacked? Signs point to no. (It was blocked, after all.) Is someone trying to hack you? If you are connected to the internet, yes.
What I don't understand is how my FreeBSD machine can receive connection attempt from my NAPT router which should not redirect this port number ?
So that's why I am asking if there is a possibility that this NAPT router has been hacked.

Sorry if I didn't choose the right section on this forum. My problem is not about PF which is doing a good job, but my NAPT router which has neither FreeBSD nor PF. It's a ZyXEL AMG1001-T10A.
PF on my FreeBSD machine allowed me to see this unwanted connection attempt.
 

Eric A. Borisch

Well-Known Member

Thanks: 202
Messages: 312

#6
What I don't understand is how my FreeBSD machine can receive connection attempt from my NAPT router which should not redirect this port number ?
So that's why I am asking if there is a possibility that this NAPT router has been hacked.

Sorry if I didn't choose the right section on this forum. My problem is not about PF which is doing a good job, but my NAPT router which has neither FreeBSD nor PF. It's a ZyXEL AMG1001-T10A.
PF on my FreeBSD machine allowed me to see this unwanted connection attempt.
Ah, sorry, I didn't quite parse your layout initially. This might be better served on a ZyXEL forum? The fact that PF blocked it (implies there had not been a recent outbound connection & wasn't in the state table of your PF machine) yet your upstream supposed-to-be-a-firewall box passed it would make me double-check the upstream settings, and consider replacing it if everything seems in order.

With the extremely short packet delay, the sender certainly didn't know the prior packets had been blocked before sending the subsequent one. In addition, the IP has been reported for scanning: https://www.abuseipdb.com/check/125.64.94.208 ... I'd say the likelihood that this was not desirable traffic is high; why it got through the ZyXEL is a good question for them.
 

tman904

New Member

Thanks: 2
Messages: 8

#7
Hello,

Is this your topology?
(INTERNET)
|
(ZyXEL)
|
(FreeBSD Server)

My other question would be if the rl0 interface is assigned 192.168.1.10?

If both of those are true I would seriously consider checking the ZyXEL device.

Since your only forwarding ports 7547,80,443, I wouldn't expect to see packets destined to port 13215 coming into rl0 on the FreeBSD server behind the ZyXEL device.
.
That most likely means that UDP packets were translated by the ZyXEL to the ip 192.168.1.10 and destination port 13215.

I would check to make sure a UPNP Server isn't enabled on the ZyXEL.
If a host on the inside was compromised it could of easily sent a UPNP request to the ZyXEL to open that port from the Internet to the inside.

Even if the FreeBSD Server at 192.168.1.10 didn't request it directly another host could have in order to open a small foothold.

Have a nice day.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,895
Best answers: 7
Messages: 26,520

#8
Judging by the seemingly random high ports, I'm guessing this is traffic caused by P2P (bittorrents). A lot of bittorrent clients use UPnP (IGD) to dynamically open and forward ports. Even if you run a bittorrent client less than 5 minutes you're going to see P2P traffic knocking at your door for the next couple of weeks. It's going to take a really long time for your IP address to die out.
 

tman904

New Member

Thanks: 2
Messages: 8

#9
SirDice. Would that mean that the FreeBSD Server at 192.168.1.10 is running a bittorrent client? I didn't think that was the case from the above posts.

It seems like unless the FreeBSD box opened the ports, the packets wouldn't be getting translated to the servers ip address. Am I mistaken in my thinking?
 

Crivens

Moderator
Staff member
Moderator

Thanks: 437
Messages: 1,309

#10
If you are on a dynamic IP, then it suffices for anyone who had that IP in the last weeks to run a torrent client.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,895
Best answers: 7
Messages: 26,520

#11

dlegrand

Active Member

Thanks: 42
Messages: 151

#12
Hello,

Is this your topology?
(INTERNET)
|
(ZyXEL)
|
(FreeBSD Server)

My other question would be if the rl0 interface is assigned 192.168.1.10?

If both of those are true I would seriously consider checking the ZyXEL device.

Since your only forwarding ports 7547,80,443, I wouldn't expect to see packets destined to port 13215 coming into rl0 on the FreeBSD server behind the ZyXEL device.
.
That most likely means that UDP packets were translated by the ZyXEL to the ip 192.168.1.10 and destination port 13215.

I would check to make sure a UPNP Server isn't enabled on the ZyXEL.
If a host on the inside was compromised it could of easily sent a UPNP request to the ZyXEL to open that port from the Internet to the inside.

Even if the FreeBSD Server at 192.168.1.10 didn't request it directly another host could have in order to open a small foothold.

Have a nice day.
Hi,

I always disable UPnP on my Internet Gateways and there is no Bittorrent client running on this IP (192.168.1.10) and my public IP is static.
It seems that this kind of router had some security flaws in the past, so I decided to not using it anymore because it lacks of firmware updates from ZyXEL.

Thank you all.
 

Trihexagonal

Aspiring Daemon

Thanks: 422
Messages: 908

#13
I have cable and when I know I'm going to be offline a day or so will unplug my modem so when I go back online it's with a new IP#.

My Netgear router does SPI and I just updated the firmware recently. I did have a pfSense tower I liked a lot, but it was an energy hog and I never replaced it when I switched to cable.

TBH I rarely ever bother looking at my pflog beyond the stats in my daily security mailing. I don't allow remote access for myself, can see any /var/log/pflog activity with sysutils/gkrellm2 such as when I scan my own machines from the LAN, and unlike my firewall log monitor it closely.
 

_martin

Aspiring Daemon

Thanks: 125
Messages: 674

#14
NAT is not firewall though it does create fake feeling of security. "NAT is not firewall" in google pops out plenty of explanation why.
I'd be careful using old non-updated routers on public networks.
 

gkontos

Daemon

Thanks: 454
Messages: 2,094

#15
NAT is not firewall though it does create fake feeling of security. "NAT is not firewall" in google pops out plenty of explanation why.
I'd be careful using old non-updated routers on public networks.
In IPv4 routers, when internal clients use NAT to a public IP address, there is no way that a host outside that router can initiate a connection to a host behind the NAT.
Of course this is not a firewall because firewalls use access lists and also perform stateful inspection among other things.
 

ShelLuser

Daemon

Thanks: 1,097
Best answers: 2
Messages: 2,424

#17
Not very useful info though, at least not for me. I'm not going to sit through 48 minutes of jabbering only to hope that I'll eventually understand what point you're trying to make here. Not to mention my immediate prejudice because these kind of demonstrations more than often do not represent the actual situations you get to see in the real world. Though I can't say for sure if that's the case here as well, that's because of my first issue ;)

(edit) Actually now I can. Around 25:00 did I stumble on something which immediately set the tone for me: "So now I'm going to enable remote telnet" :rolleyes:

Nothing to see or learn here.
 

_martin

Aspiring Daemon

Thanks: 125
Messages: 674

#19
(edit) Actually now I can. Around 25:00 did I stumble on something which immediately set the tone for me: "So now I'm going to enable remote telnet" :rolleyes:

Nothing to see or learn here.
Ehm .. he enabled it as an attacker when he already gained the access to the router.
 

_martin

Aspiring Daemon

Thanks: 125
Messages: 674

#21
IP spoofing can do some magic. In the old routers you had NAT enabled this way (pseudo code):
Code:
pass in
pass out
nat on egress0
It creates illusion of security where people thought: "I'm behind the NAT, I'm safe.". It's not NAT that keeps you secure.

Newer routers have NAT and some filtering enabled by default to prevent these attacks.
 

PacketMan

Aspiring Daemon

Thanks: 129
Messages: 848

#22
Not to sidetrack the discussion, but I meant to do something previous and of course it slipped the mind. I am not running Pf, but am running 11.1-RELEASE-p4. (Yeah I know, security update is available.) There was another discussion one time where FreeBSD could be configured to automatically stop responding to 'request' for a period of time. Anyone remember the port or utility that was referred to?

Thanks guys.
 

max21

Well-Known Member

Thanks: 17
Messages: 392

#23
Hi,

I always disable UPnP on my Internet Gateways and there is no Bittorrent client running on this IP (192.168.1.10) and my public IP is static.
It seems that this kind of router had some security flaws in the past, so I decided to not using it anymore because it lacks of firmware updates from ZyXEL.

Thank you all.
....
....
https://www.tenforums.com/antivirus-firewalls-system-security/84068-best-firewall-windows-10-a.html
IN THERE:: most routers have a fire wall built in but i have never seen nor heard of it and the windows 10 firewall having conflicts.
It not all about Windows. I guest it is never over until the fat lady sing... routers security plus/ -> then FreeBSD pf. I never thought the router had that much impact other then to open up the door to let em in so that FreeBSD pf is left to do all the work. This is no new news for you dlegrand but this thread certainly clue me up. I been blindly kind-of on the right track, and now I know.

PS: I do not think your router have been hacked, and if so it 's pure hardware (i thin) that should beable to reset (unplug all for a min or two). China are very powerful INTERNET or TECH people beyond most. They do not destroy or wish to destroy IMO because nothing for nothing leaves nothing and they are too smart for that!
 

Trihexagonal

Aspiring Daemon

Thanks: 422
Messages: 908

#24
I never thought the router had that much impact other then to open up the door to let em in so that FreeBSD pf is left to do all the work.
My router does Stateful Packet Inspection so I expect it watch the door for who comes and goes, and who can come in accordingly.

I depend on pf to be there if something gets by it.
 
Top