This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS log question

Hi,

We have some nat rules in our UTM SG310.

Today when I was watching the IPS logs came accross this:

 

2019:06:07-06:57:09 securitysrv1-2 snort[18296]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt" group="110" srcip="185.156.177.242" dstip="10.0.10.221" proto="6" srcport="54007" dstport="18111" sid="49040" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

What I dont understand is Port 18111 is not being used for the Windows TS, but this port is beeing used to view some xml files on 10.0.10.221

I thought maybe someone from the source IP try to open the RDP by using port 18111 and that is why it get logged, but it was not the case.

So port 18111 is opened, there is application on 10.0.10.221 that us this port. Why IPS think this connection is for Windows TS and drop it?

Any suggestion?

 

Thanks



This thread was automatically locked due to age.
Parents
  • Is this a DMZ Server or something?  I am trying to figure out how a public IP accessed your internal IP?  

     

    If it is a public IP and you do have a rule to allow WAN to DMZ with that specific port 18111 open than an attacker might have scanned your network and simply attempts a Windows TS thinking you changed the default port number to that.

    Respectfully, 

     

    Badrobot

     

  • No this is not a DMZ.

    we have a server in our LAN that has a port 18111 open and also we have a DNAT rule that point to the LAN and allow access to port 18111 from WAN.

    Why in god names IPS says attacker try to access the LAN server from RDP on this port!?

  • Well they might have simply scanned your external IP and found the port is open, but when you say DNAT do you mean the rule allows any device on the internet to connect to that port or only specific IP's are allowed through to connect to that port?  It might help to show the rule.  

     

    As for the attacker, if they find the port open through a scan or fire walking they more than likely have a script or some automation that they have created to attempt known attacks, for example. In plain terms, they are fishing.  

     

    You really should not have a DNAT to your internal LAN, this should be to the DMZ instead.  If you are going to DNAT to an internal LAN you should also only allow specific IP's.  (Even that is stretching it.)  I would look into DMZ's and either move the server, or setup a server in the DMZ with whatever reason you have that port open for.

     

    https://www.spamlaws.com/how-dmz-works.html

     

    Respectfully, 

     

    Badrobot

     

  • Regarding the safety you are right, but we are hosting lots of websites with a 3rd party application that needs access to some ports on the web servers in LAN, that is why we use the DNAT for these ports from anywhere.

    I recently found a solution for the above and that is, instead of using the DNAT and port number use a sub domain and then allow the UTM to redirect the incomming 443 to the custom port of webserver in LAN.

    What I dont understand is why when I try to access the port with mstsc, IPS dont log my IP as it does with the attacker IP!

Reply
  • Regarding the safety you are right, but we are hosting lots of websites with a 3rd party application that needs access to some ports on the web servers in LAN, that is why we use the DNAT for these ports from anywhere.

    I recently found a solution for the above and that is, instead of using the DNAT and port number use a sub domain and then allow the UTM to redirect the incomming 443 to the custom port of webserver in LAN.

    What I dont understand is why when I try to access the port with mstsc, IPS dont log my IP as it does with the attacker IP!

Children