After I deactivated a few false positive messages in the IPS log, only a few messages with priority 3 still appear in the log, but what I have noticed in the last few days gives me food for thought and I wonder how I should deal with this?
It now appears up to 5 -10 times a day in the last few days, always the same IP trying to gain user rights on the same port using injected UDP commands. This message has priority 1, how big is the danger really, what else can I do to make it as difficult as possible? Snort - Rule Docs
If this is not a clear sign, please enlighten me.
That attack is not dangerous, if you are not forwarding the UDP port in question to a vulnerable device (meaning a device running a specific Realtek chipset, running software made with the Realtek SDK).
Can’t you just block the offending IP?.Or an entire country, FWIW, depending on what operation you run.
I think the targets are loT devices, this devices are mainly in my blue network. I don’t know if they are affected.
I wrote the IP Address and some more in the Guardian Configuration to block this hosts, I hope this helps, but can’t he just keep sending his UDP packets?
Would it be possible that he infiltrate my Vodafone box that runs in bridge mode as a modem? Would I notice this in this way? Because it has just rebooted with a disco light, which means that a new firmware has been installed, can of course also be a random event, but you never know?
I have only open some Ports (not 9034) from green to DMZ but not for WAN, on the DMZ device no server is configured for the internet, only Ports from OpenVPN, IPSec and Tor relay are set in the ipfire settings are reachable from the internet, SSH is deactivated.
The SRV Records in the DNS are not for Port 9034.
Change the Source from Location to the IP you want to block and give it a try. Enable “log rule” and keep a close eye on the firewall rules logs to make sure you are blocking everything and have not accidentally allowed everything.
Hopefully someone more knowledgable will come along and look over (grade) my suggestion!
If no ports are forwarded through the firewall, you are safe. Basically an IPS/IDS is not even needed, if not wanting to catch internal compromised hosts “calling out” (this requires listening on GREEN), or wanting to see attacks for your own curiosity – although one could argue that running and IPS/IDS is opening an attack vector in itself if Suricata should be vulnerable in some way, and it takes a good amount of RAM and CPU.
Jon’s rule looks correct, although for a country you could use “Location block” instead. Of course blocking in this way stops both the attack and the actual logging of the attack.
For sites with forwarded ports I’d generally advise looking at IP blocklists, too, which will take care of many hostile hosts and networks automatically. There is a separate page for this under “Firewall” but you can also add several IP blocklists (in some cases, the same ones) in the IPS. These connections will still be logged, though. Your offending IP is in the Netherlands, a huge source for attacks as there are a lot of hosting companies there.
I have all selected, and Guardian, and IPS. Pretty much from day 1.
Are you guys saying more should be done? Not wishing to derail this from @mumpitz original question, but I do have a number of Aqara Sensors that are in my Blue Access list, for firmware upgrades and phone app connectivity.
Since day one I’ve been using this IDS/IPS system but this is the first time I could see anything in the logs and just today a second IP is also on port 9034 with the same attack, this IP is from an anonymous proxy.
I think it’s related to the Tor relay, the relay attracts scum like a turd attracts flies, but I’m going to write down all these little bastards in my own network firewall list, create groups for these little weirdos and create firewall rules for these groups anyway.
I don’t believe in blocking whole countries, I’ll also make a note of the ASIN number in case certain networks qualify there especially with me.
my Ipfire has more than enough memory and computing power to handle this easily.
I create a network 188.8.131.52/24 and added this network to a group which is used in a firewall rule, but the firewall log still shows DROP_INPUT from an IP address from this network. So how does it work that this entries gone?
I always try to look clever, but somehow my mind isn’t good enough, I’m not able to translate that into rules.
FORWARDFW green0 UDP [192.168.1.6] 42305 [184.108.40.206] 123
this I had disabled with source 192.168.1.6 destination standard network red block all no log
But for the above networks it doesn’t work…
How did you get the MAC addresses of this extern IPs? It is not shown in the IPinfo of ipfire.
But, mister, this MAC address is always the same and I suspect it comes from the red interface… I don’t think that’s the source, it’s the interface that has my external IP address.
How can I create a rule so that these entries are not displayed?
I’m sorry, I don’t understand what is source or direction here? I am not assuming that I am the source…could you explain this for the very stupid?
In my example the crossed out part is my red IP.
The MAC address on the right is not my red MAC.
the Source is the IP or MAC address that is trying to get in.
Destination “Your network”.
Added MAC or IP to “Network Group”