i got complient from our ISP that their was Unauthorized Access Attempts from IP 184.108.40.206 (firewall IP). The ISP is saying they got complient address 220.127.116.11 conducting scanning/hacking NT known exploits, port scanning and/or spidering of another network. Also say TCP sweep of port 80 from the IP 18.104.22.168 The report says:
well you can not make them stop, not with firewall rules atleast.
since that would terminate all the traffic from you.
But you can make shure that the offender stops.
First you now "know" that you have an offender in your network.
Stop using telnet and start using SSH instead.
Change passwords on the firewall and other equipment that is essential to you. (not using telnet).
Set up NTP.
Start logging (to a secure log host so that an attacker can not change the logs)
You do not have a clue who did what when or with who since there are no logging of the traffic
That is a if not to say THE big problem, not just because of offending others. but to know what happens in your own network.
What you should have been able to do when the ISP called is to ask the question: what time and what is the offended ip address/es.
Then you go back to your logs and check them out to se who was connected to the isp supplied offended ip address at that time.
this way you can find out a couple of things.
First off you will find the offending computer, and with that either be able to tell if the person infront of the keyboard are the offender or if your company have been attacked and a host compromised. you might have a whole infestation of a botnet going on and you will never know it since you dont have any logs.
If it is the person infront of the keyboard then atleast you will have someone to fire or to show so that others do not do the same.
or it might show that someone from your wlan have done it that is not even with your company. then you know you have a breached wlan.
If you can add the server log files to syslog that helps alot to see who was logged on at what time and so on.
The more you log the easier the task when you have a lead to what the problem is.
If you are a windows head I would recomend kiwi syslog server, alot of nice features if you buy the software, some nice if you just use the free version.
then I would sift through the gigabytes of syslog data with gnugrep for windows.
sift through the data with the ofended ip address and copy all those rows to a new file that will be alot smaller and keep digging with grep until you know whats going on.
If you are a linux head then you know what to do with syslog and how to use it.
All of this and how it should be handled should be covered in your it policy.
If you do not have one, get one !
I wish you good luck and a final small advice, they can be quite crafty.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...