many entries of this coming through every 15 minutes or more since 4/13/20 at 08:03:03 I’ve put a rule into iptables dropping all traffic to that IP, but messages are still flowing through. I want to confirm whether this is someone looking at porn inside the building, or if this is an outside attach from an IP known to be associated with a porn site, or if this is simply a false positive or if someone’s machine has been compromised. Connections coming from 192.229.21.142 appear to be coming in on different ports, starting with 47982, going up to 53958.
Besides confirming it is inbound or outbound I also want to know how to set up ipfire to email me / text me when something like this starts to happen again so I can respond quickly. If you were the IS Administrator and this was showing up in your logs, what steps would you take to resolve this?
Personally, I would ignore it. If it really bothers you, you can set a firewall rule to drop all traffic from that IP, but NAT will do that anyway if it’s unsolicited inbound. Once you get used to seeing this type of rule, it’s easy to mentally dismiss it. What I’d really do is disable the whole porn IPS ruleset as there are better ways of blocking porn (URL Filter) if that’s important in your environment.
I don’t think the ipfire email system is sophisticated enough yet to send email alerts for this type of thing.
Thanks for the fast response. Are there any add-ons that have this emailing ability, or are there any add-ons that can at least bundle up logs for the day and email them to me, so that I know what logs to look at in the system. I’m always paranoid about “I don’t know what I don’t know”, so there may be more security issues out there that I’m just not looking for, or I’m not looking at the right log files to find out what they are. On other distributions this kind of thing is found in logwatch for getting logs, fail2ban for attempted break-ins, among other tools. What add-ons exist for these kinds of uses?
With core143 we have added the missing input ports for the proxy and transparent proxy so you can determine which client in green or blue has send this requests if IPS is enabled on green and blue.
I just installed 143 but I have to reboot after hours for it to take effect. One of the challenges that I have with the web interface is, when looking at the proxy logs there are always many many entries, like looking for a needle in a stack of needles. Are there options so that you can filter out everything except for security level 1 issues / level 2 issues so that you can see the security level 1 issue, and the IP on the LAN that’s associated with it, so you know who needs the scolding, or what machine is compromised?
If there is a way to add that functionality, that would definitely help me do my job.
Zoho CRM has a great web-based drag and drop interface for buildling forms and output reports, where you can set up structure to find the exact information that you need without having to manually write a sophisticated sql query, or cat / sed through log files. Can this kind of a UI be added to the IPFire logging area so that you can easily build your own output reports or pre-saved filters?