Log z routera - jest się czego bać?

0

Administruję mini siecią firmową. Wchodzę sobie na logi z routera, i widzę coś takiego:

Tue, 2021-02-09 1805 - TCP packet - Source: 192.241.222.236 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 59380 Dst 7000 from WAN]
Tue, 2021-02-09 1807 - TCP packet - Source: 79.124.62.74 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 8080 Dst 13605 from WAN]
Tue, 2021-02-09 1812 - TCP packet - Source: 66.240.192.138 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 20041 Dst 2222 from WAN]
Tue, 2021-02-09 1819 - TCP packet - Source: 162.142.125.85 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 2951 Dst 10101 from WAN]
Tue, 2021-02-09 1850 - TCP packet - Source: 218.93.208.150 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 9090 Dst 22 from WAN]
Tue, 2021-02-09 1853 - TCP packet - Source: 79.124.62.74 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 8080 Dst 58334 from WAN]
Tue, 2021-02-09 1856 - TCP packet - Source: 190.96.118.131 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 55864 Dst 445 from WAN]
Tue, 2021-02-09 1859 - TCP packet - Source: 190.96.118.131 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 55864 Dst 445 from WAN]
Tue, 2021-02-09 1801 - TCP packet - Source: 94.102.49.191 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 46505 Dst 21352 from WAN]
Tue, 2021-02-09 1805 - TCP packet - Source: 94.102.49.191 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 46505 Dst 18842 from WAN]
Tue, 2021-02-09 1834 - TCP packet - Source: 79.124.62.74 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 8080 Dst 6950 from WAN]
Tue, 2021-02-09 1855 - TCP packet - Source: 79.124.62.74 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 8080 Dst 4932 from WAN]
Tue, 2021-02-09 1804 - TCP packet - Source: 95.82.169.109 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 43714 Dst 8000 from WAN]
Tue, 2021-02-09 1821 - TCP packet - Source: 60.173.87.91 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 3692 Dst 1433 from WAN]
Tue, 2021-02-09 1822 - TCP packet - Source: 79.124.62.74 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 8080 Dst 8377 from WAN]
Tue, 2021-02-09 1842 - TCP packet - Source: 94.102.49.191 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 46505 Dst 22565 from WAN]
Tue, 2021-02-09 1846 - TCP packet - Source: 79.124.62.74 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 8080 Dst 39187 from WAN]
Tue, 2021-02-09 1810 - TCP packet - Source: 75.114.100.165 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 50022 Dst 1433 from WAN]
Tue, 2021-02-09 1813 - TCP packet - Source: 75.114.100.165 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 50022 Dst 1433 from WAN]
Tue, 2021-02-09 1816 - TCP packet - Source: 94.102.51.95 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 51789 Dst 62427 from WAN]
Tue, 2021-02-09 1800 - TCP packet - Source: 23.148.145.26 - Destination: 10.70.5.50 - [Zero bytes transferred for connection Src 51723 Dst 443 from WAN]
Tue, 2021-02-09 1808 - TCP packet - Source: 94.102.51.95 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 51789 Dst 40550 from WAN]
Tue, 2021-02-09 1821 - TCP packet - Source: 79.124.62.74 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 8080 Dst 3334 from WAN]
Tue, 2021-02-09 1831 - TCP packet - Source: 209.141.53.77 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 36258 Dst 11211 from WAN]
Tue, 2021-02-09 1833 - TCP packet - Source: 5.188.158.212 - Destination: 10.70.5.50 - [Access Policy not found, dropping packet Src 29070 Dst 3389 from WAN]

...A to tylko z 4 minut jak widać. Zakładam że to jakieś automaty non stop skanujące sieć w poszukiwaniu podatności, mam rację? Czy to normalne? Jest się czego bać? Zakładać na te adresy jakieś blokady, czy to nie ma sensu?

2

@mazurro:

Co masz na prywatnym adresie 10.70.5.50 i czy czasem on ci nie czegoś żąda/generuje co dostajesz później w odpowiedzi?

4

Załóżmy, że masz netlog jak wkleiłeś

Każdy kto pukał

 cut -d " " -f 9 netlog | sort | uniq

Kto się natarczywie dobijał?

cut -d " " -f 9 netlog | sort | uniq -c | sort -r

Do przyjrzenia się urwisom, np. top 50:

cut -d " " -f 9 netlog | sort | uniq -c | sort -rn | head -50

albo

cat netlog | grep -v "^$" | cut -d " " -f 9 | sort | uniq -c | sort -rn | head -50

Zobacz czy coś się wyróżnia z latającego o sieci tłumu?

~ $ cut -d " " -f 9 netlog | sort | uniq -c | sort -rn | head -5
      7 79.124.62.74
      3 94.102.49.191
      2 94.102.51.95
      2 75.114.100.165
      2 190.96.118.131

Ten jeden mistrz

7 79.124.62.74

aż 7 razy szukał szczęścia w twojej próbce

Log z routera - jest się czego bać?

1 użytkowników online, w tym zalogowanych: 0, gości: 1

Praca dla programistów

Forum dyskusyjne

Sprawy administracyjne

O nas

Skontaktuj się z nami