1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Incoming Log

Discussion in 'Networking Issues' started by Scott0628, Sep 26, 2007.

  1. Scott0628

    Scott0628 LI Guru Member

    Please help a noob..
    We are a small 5 user office running SBS2003 with a BEFSR41.
    My incoming log is innundated with odd entries. Port 15936 seems to be a favorite target. I check the IP addresses and they are from places halfway accross the world.
    Is there a resource available that explains:
    1. What these port numbers are?
    2. Which entries (if any) are problems that need to be addressed?
    3. What is actually ocurring with these port hits? Does an entry in the incoming log mean they are actually "in" our system, or it it just an scan attempt?
    Also, do I need a beefier router/firewall?

    Here's a recent example:
    Incoming Log Table
    Source IP Destination Port Number
    207.97.230.54 25
    216.180.186.142 1026
    207.97.230.54 25
    219.133.105.163 1433
    218.106.91.25 1434
    207.97.230.54 25
    200.71.188.209 15936
    200.71.188.208 15936
    207.97.230.54 25
    125.76.238.164 1434
    200.71.188.210 15936
    58.38.9.183 2967
    207.97.230.54 25
    91.165.174.39 445
    64.231.97.167 135
    88.40.120.228 1433
    81.170.235.191 135
    207.97.230.54 25
    64.62.110.179 139
    207.97.230.54 25
    211.139.9.98 2967
    67.15.135.144 32666
    218.83.175.154 1162
    202.141.253.26 135
    219.133.105.163 139
    61.138.255.243 5168
    207.97.230.54 25
    200.71.186.240 15936
    200.71.186.241 15936
    69.130.3.173 1026
    124.114.93.222 5900
    207.97.230.54 25
    196.201.65.3 15936
    172.135.19.157 1026
    207.97.230.54 25
    67.15.135.144 23160
    207.97.230.54 25
    67.15.135.144 32666
    60.190.163.100 135
    207.97.230.54 25
    218.83.175.154 1166
    66.150.103.202 3687
    66.150.103.202 3692
    66.150.103.202 3690
    66.150.103.202 3695
    66.150.103.202 3684
    66.150.103.202 3694
    66.150.103.202 3688
    222.73.219.97 135
    207.97.230.54 25
    61.100.9.243 1433
    200.35.47.16 15936
    202.100.210.114 4899
    207.97.230.54 25
    66.151.11.250 33438
    66.151.11.250 33437
    66.151.11.250 33438
    66.151.11.250 33437
    66.151.11.250 33438
     
  2. frenchy2k1

    frenchy2k1 LI Guru Member

    It just looks like a portscan to me.
    To avoid raising too much suspicion, they just do it in disorder instead of in order.
    The reason they may try the same port several times could be time outs.
     
  3. ifican

    ifican Network Guru Member

    The most important thing is to make sure your sever and host machines are patched and they have local firewalls running. Next to that no matter what device you have connected to the internet it is going to get hammered it is just the way it is. If you want to find out about what ports are what you can do a google search for the port number something like "tcp port 25" without the quotes (that happens to be email but you will get a return for any port you search for).

    As for your beefier firewall question, unfortunately in todays world a firewall in and of itself is not really enough, you can argue this on both sides but basically a single firewall by itself has flaws and can be gotten around. We as users and even more so as networking professionals need to remember the phrase "defense in depth". Basically dont trust your network to one single point of failure or protection.

    But on a side not as long as you feel comfortable thats all that really matters. For me, depending on which direction you take comming into my network you go through 2 firewalls and or router acl's with at least 2 layers of nat and in some cases up to 4. Overkill? I dont know but since i am a security professional i tend to be a little more paranoid then most.
     
  4. Scott0628

    Scott0628 LI Guru Member

    Thank you both !
    From what I'm reading, our existing "firewall" is simply having the router block anonymous internet requests. From what you're telling me, this is not enough. Even though we haven't experenced problems...yet.
    Any recommendations on a resonable firewall? We have certain ports available for remote access, but we aren't running our own web site.
     
  5. ifican

    ifican Network Guru Member

    As a whole it is better then nothing that is for sure, the best way for you to see what is happening inside the network is to set up a firewall on your machine and then look at the logs. You will be surprised at how much you find on your local machine that is not "blocked" by your router.
     

Share This Page