Hi Everyone
I could use some help with an issue I had today.
Looks like some script kiddies ran a script against my Alta Route10
Info below:
The Intrusion Detection System on Alta-Access XXXXXXX has detected potentially malicious traffic.
Severity: High
Alert: ET INFO HTTP POST contains pass= in cleartext
Protocol: TCP
Source: 157.90.140.164:80
Destination: 192.168.1.11:56668
So I used the ripe abuse page and found
[
Reverse DNS Hostname
](RIPEstat)
static.164.140.90.157.clients.your-server.de
157.90.140.164
So I guess we’ll see how long it takes for the abuse email to get back with me.
In the meantime, someone in Germany can see I have a box plugged in on one of the lan ports and it was assigned 192.168.1.11? That alone seems somewhat concerning. So I have some questions
- What logs , verbosity can I turn on get more information on events like this?
- The IDS/IPS is on, so how can I check if that kicked in and started blocking this attempt?
- iptables logging from what I can see isn’t dropping any information for me to do forensics after the fact. Can it be setup so I can see 1 day of block logs for instance … or longer if I plug in a usb drive?
root@Alta-Access:/tmp/log# iptables -L -v -n | grep -i drop
Chain INPUT (policy DROP 0 packets, 0 bytes)
Chain FORWARD (policy DROP 0 packets, 0 bytes)
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
3496 381K DROP all – * eth3 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage /
0 0 DROP all – * eth4 0.0.0.0/0 0.0.0.0/0 ctstate INVALID / !fw3: Prevent NAT leakage /
Chain zone_wan_dest_DROP (1 references)
0 0 DROP all – * eth3 0.0.0.0/0 0.0.0.0/0 / !fw3 /
0 0 DROP all – * eth4 0.0.0.0/0 0.0.0.0/0 / !fw3 /
0 0 zone_wan_dest_DROP all – * * 0.0.0.0/0 0.0.0.0/0 / !fw3 /
1585 639K zone_wan_src_DROP all – * * 0.0.0.0/0 0.0.0.0/0 / !fw3 /
Chain zone_wan_src_DROP (1 references)
1585 639K DROP all – eth3 * 0.0.0.0/0 0.0.0.0/0 / !fw3 /
0 0 DROP all – eth4 * 0.0.0.0/0 0.0.0.0/0 / !fw3 */ - Can a controller be set to pull logs from a route10? I believe I saw a syslog server setting… which would push the logs to a destination. Can you also do the reverse and pull logs. Say I have a syslog server and I want it to poll the route10 every 5 minutes for new information?
- I do like the fact that I received emails. I may keep my account cloud for that reason as I received information offline that I could get from my phone
Anyway , if there is any other information I can check for things like this , that will be helpful.
Thanks for your support.