IPS log question

Hi,

We have some nat rules in our UTM SG310.

Today when I was watching the IPS logs came accross this:

 

2019:06:07-06:57:09 securitysrv1-2 snort[18296]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt" group="110" srcip="185.156.177.242" dstip="10.0.10.221" proto="6" srcport="54007" dstport="18111" sid="49040" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

What I dont understand is Port 18111 is not being used for the Windows TS, but this port is beeing used to view some xml files on 10.0.10.221

I thought maybe someone from the source IP try to open the RDP by using port 18111 and that is why it get logged, but it was not the case.

So port 18111 is opened, there is application on 10.0.10.221 that us this port. Why IPS think this connection is for Windows TS and drop it?

Any suggestion?

 

Thanks

  • Is this a DMZ Server or something?  I am trying to figure out how a public IP accessed your internal IP?  

     

    If it is a public IP and you do have a rule to allow WAN to DMZ with that specific port 18111 open than an attacker might have scanned your network and simply attempts a Windows TS thinking you changed the default port number to that.

  • In reply to Badrobot:

    No this is not a DMZ.

    we have a server in our LAN that has a port 18111 open and also we have a DNAT rule that point to the LAN and allow access to port 18111 from WAN.

    Why in god names IPS says attacker try to access the LAN server from RDP on this port!?

  • In reply to AreshAreshi:

    Well they might have simply scanned your external IP and found the port is open, but when you say DNAT do you mean the rule allows any device on the internet to connect to that port or only specific IP's are allowed through to connect to that port?  It might help to show the rule.  

     

    As for the attacker, if they find the port open through a scan or fire walking they more than likely have a script or some automation that they have created to attempt known attacks, for example. In plain terms, they are fishing.  

     

    You really should not have a DNAT to your internal LAN, this should be to the DMZ instead.  If you are going to DNAT to an internal LAN you should also only allow specific IP's.  (Even that is stretching it.)  I would look into DMZ's and either move the server, or setup a server in the DMZ with whatever reason you have that port open for.

     

    https://www.spamlaws.com/how-dmz-works.html

     

  • In reply to Badrobot:

    Regarding the safety you are right, but we are hosting lots of websites with a 3rd party application that needs access to some ports on the web servers in LAN, that is why we use the DNAT for these ports from anywhere.

    I recently found a solution for the above and that is, instead of using the DNAT and port number use a sub domain and then allow the UTM to redirect the incomming 443 to the custom port of webserver in LAN.

    What I dont understand is why when I try to access the port with mstsc, IPS dont log my IP as it does with the attacker IP!

  • In reply to AreshAreshi:

    Did you attempt a user privilege gain when you accessed the port?

  • In reply to bad robot:

    Can you explain what you mean with " Did you attempt a user privilege gain when you accessed the port? "

    I did try to access the lan server with port 18111 from mstsc but connection wouldn't even made becuase this port is not beeing used for RDP. This port is beeing used by other application. My action did not get logged by IPS.

    I think this means that the attacker use other metod then using the mstsc directly!

  • In reply to AreshAreshi:

    Could be either direct or indirect through just using RDP or through some vulnerability aspect, remember the IPS will detect the attempt & prevent it whether or not it would work on server, it does not mean the attempt would be successful even if you did not have an IPS as long as you known your system and patched/hardened/updated.  This is why you have to update and patch vulnerabilities and harden your OS.  There are many vulnerabilities for RDP over the years, many of these have been patched by Microsoft unless they are new or exist on a EOL OS.  Hackers thrive on picking the weakest link in the bunch so they will constantly scan for open ports on public IP's, depending on how much information they can get from those scans you may see attacks closely related to you systems.  Or you they can just get lucky, i.e. most companies have some Microsoft products.  They then attempt various known attacks against those ports hoping they will catch a company that has not invested a lot in IT or has a lazy admin.  I posted a few links below to help also inform.

     

    Port Scanning with Nmap- https://www.networkworld.com/article/3296740/what-is-nmap-why-you-need-this-network-mapper.html

    RDP vulnerabilities search in CVE- https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=RDP

    Firewalking - https://www.techopedia.com/definition/26261/fire-walking

  • In reply to Badrobot:

    Thanks, I am agree on this with you.