PF Weird connections to my webserver

[zsolt]

Hello,

I have a computer and I configured it as a video surveillance system in our company. It uses a a software for broadcasting streams of the network cameras and this software is acting similar to a webserver. In order to be able to connect to the system from outside of the local network I had to punch a hole in our firewall - port 80. Then by connecting with my username and password I can connect in the cameras.

I have a router which is a pfSense box with pf firewall. I noticed a couple of days ago that some foreign IP's were connected on port 80 in my server. Here is what I did:

#pftop -a | grep 192.168.1.205 //my server internal IP address
tcp   I  xx.xx.xx.xx:52719     192.168.1.205:80      4:4  78467  7934     5   259
tcp   O  xx.xx.xx.xx:52719     192.168.1.205:80      4:4  78467  7934     5   259

Sometimes there are a lot of similar connections like this, and are alive some hours, too. Do I have to worry?

 

[usdmatt]

It's pretty much a given that any service you put on the Internet will get probed constantly.

If possible you're better off looking in the web server logs to see what they are actually trying to access. Usually it's search bots or people trying to look for holes.

 

[zsolt]

Thanks for the reply!
I checked many times If i can find log files in the software's folder structure but I couldn't find anything. Its a commercial application made by TRENDnet. All I can do is to make sure my passwords are strong and change periodically, and that the software is up to date. I also tried tcpdump a couple of times but it didn't returned much info.

 

[drhowarddrfine]

Folder structure? Are you saying this is a Windows application?

As usdmatt said, port 80 is where almost all internet browsing takes place so someone may get to your IP address by accident. Other people actively search out live cameras to watch for fun. My servers are always getting hit by strange requests.

 

[zsolt]

Yes drhowarddrfine! its an application which runs on Windows. The question is if I should worry or not? I check everyday the active connections and they are short lived connections, I mean everyday is a different IP connected to the server for a couple of hours...

 

[SirDice]

The question is if I should worry or not? I check everyday the active connections and they are short lived connections, I mean everyday is a different IP connected to the server for a couple of hours...

No way to be sure without looking at the actual logs. Just because someone has a connection doesn't mean they're doing something bad. You really, really have to take a look at the logs.

Or have a look with tcpdump(1). If possible just let it create a capture file of the traffic. The resulting *.pcap file can be read in Wireshark (even the Windows version will read it). That should probably make it a little easier for you to analyze. There's even a trick that can "pipe" the capture data of tcpdump(1) over SSH into Wireshark, so you can monitor remotely in real-time.