Incoming Log

Discussion in 'Networking Issues' started by Scott0628, Sep 26, 2007.

  1. Scott0628

    Scott0628 LI Guru Member

    Please help a noob..
    We are a small 5 user office running SBS2003 with a BEFSR41.
    My incoming log is innundated with odd entries. Port 15936 seems to be a favorite target. I check the IP addresses and they are from places halfway accross the world.
    Is there a resource available that explains:
    1. What these port numbers are?
    2. Which entries (if any) are problems that need to be addressed?
    3. What is actually ocurring with these port hits? Does an entry in the incoming log mean they are actually "in" our system, or it it just an scan attempt?
    Also, do I need a beefier router/firewall?

    Here's a recent example:
    Incoming Log Table
    Source IP Destination Port Number 25 1026 25 1433 1434 25 15936 15936 25 1434 15936 2967 25 445 135 1433 135 25 139 25 2967 32666 1162 135 139 5168 25 15936 15936 1026 5900 25 15936 1026 25 23160 25 32666 135 25 1166 3687 3692 3690 3695 3684 3694 3688 135 25 1433 15936 4899 25 33438 33437 33438 33437 33438
  2. frenchy2k1

    frenchy2k1 LI Guru Member

    It just looks like a portscan to me.
    To avoid raising too much suspicion, they just do it in disorder instead of in order.
    The reason they may try the same port several times could be time outs.
  3. ifican

    ifican Network Guru Member

    The most important thing is to make sure your sever and host machines are patched and they have local firewalls running. Next to that no matter what device you have connected to the internet it is going to get hammered it is just the way it is. If you want to find out about what ports are what you can do a google search for the port number something like "tcp port 25" without the quotes (that happens to be email but you will get a return for any port you search for).

    As for your beefier firewall question, unfortunately in todays world a firewall in and of itself is not really enough, you can argue this on both sides but basically a single firewall by itself has flaws and can be gotten around. We as users and even more so as networking professionals need to remember the phrase "defense in depth". Basically dont trust your network to one single point of failure or protection.

    But on a side not as long as you feel comfortable thats all that really matters. For me, depending on which direction you take comming into my network you go through 2 firewalls and or router acl's with at least 2 layers of nat and in some cases up to 4. Overkill? I dont know but since i am a security professional i tend to be a little more paranoid then most.
  4. Scott0628

    Scott0628 LI Guru Member

    Thank you both !
    From what I'm reading, our existing "firewall" is simply having the router block anonymous internet requests. From what you're telling me, this is not enough. Even though we haven't experenced problems...yet.
    Any recommendations on a resonable firewall? We have certain ports available for remote access, but we aren't running our own web site.
  5. ifican

    ifican Network Guru Member

    As a whole it is better then nothing that is for sure, the best way for you to see what is happening inside the network is to set up a firewall on your machine and then look at the logs. You will be surprised at how much you find on your local machine that is not "blocked" by your router.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice