Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Master Untangler carboncow's Avatar
    Join Date
    Aug 2011
    Location
    Central Ohio
    Posts
    295

    Default Help me understand this firewall notification.

    So I block all incoming traffic from outside the US that is not requested.
    I have a few RDP connections that I don't impose a source IP address as this time and every now and then I get a notice about to many session attemps as the eastern europeans make their rounds.

    Today I had a single connection from Bulgaria.

    1. How does this happen if I'm blocking all no USA IPs?
    2. The code is XL which I know is generic for external, correct?

    Please look at this notification and explain some of the local, remote, client and server aspects of it. Some of it seem to contradict what is the source and target. Very confusing.

    Suspicious Activity: Client created many RDP sessions:
    Session [TCP] 5.188.206.54:34399 -> 10.0.0.170:3389

    Causal Event: SessionEvent
    {
    "entitled": true,
    "clientLongitude": -97.822,
    "protocol": 6,
    "hostname": "clc",
    "CServerPort": 3377,
    "protocolName": "TCP",
    "localAddr": "/10.0.0.170",
    "SServerAddr": "/10.0.0.170",
    "remoteAddr": "/5.188.206.54",
    "serverIntf": 2,
    "CClientAddr": "/5.188.206.54",
    "serverCountry": "XL",
    "sessionId": 103578093344592,
    "SClientAddr": "/5.188.206.54",
    "clientLatitude": 37.751,
    "clientCountry": "US",
    "CClientPort": 34399,
    "policyRuleId": 0,
    "timeStamp": "2020-02-13 14:32:33.0",
    "clientIntf": 1,
    "policyId": 1,
    "SClientPort": 34399,
    "bypassed": false,
    "SServerPort": 3389,
    "CServerAddr": "/xx.xx.xx.xx",
    "tagsString": ""
    }]

    PS. Why the heck are the requirements for attachments so damn low! 620x280...seriously!!?

  2. #2
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,737

    Default

    Quote Originally Posted by carboncow View Post
    The code is XL which I know is generic for external, correct?
    No, "XL" is local. "XU" is unknown. Anything is what it says it is, but it's based on IP Geolocation, which is known to be wildly inaccurate for many IPs.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.2.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,712

    Default

    Yes and you have VPNs that further hide stuff.

  4. #4
    Master Untangler carboncow's Avatar
    Join Date
    Aug 2011
    Location
    Central Ohio
    Posts
    295

    Default

    Thx guys...even if the geo from the IP is wildly inaccurate it comes as a Bulgaria so shouldn't it automatically be tagged then as BG then Who is wrong the lookup I"m using or UT ability to identify the location? Does all one have to do is spoof the country code and their are in irregardless of what third party agrees is the IPs location?

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,712

    Default

    The country code is a generalization. VPN is one way to 'spoof' a location or region, and people use that to get around content restrictions.
    What is the lookup you are using?

    Here is the SessionEvent Event Definition Attribute Names: https://wiki.untangle.com/index.php/Event_Definitions#SessionEvent

  6. #6
    Master Untangler carboncow's Avatar
    Join Date
    Aug 2011
    Location
    Central Ohio
    Posts
    295

    Default

    Yes but why would they spoof me from something claiming Bulgaria and I"m blocking that country yet it still gets in. Does the VPN generate some confusion? You think they would VPN into the USA or such if that is where they are poking around.

    I use infosniper.net for manual lookups.

  7. #7
    Master Untangler Sam Graf's Avatar
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    927

    Default

    I've been following this and I'm a little confused. As near as I can tell, Untangle didn't identify the IP as coming from Bulgaria. but as from the US. (AbuseIPDB assigns it to London, UK.) Geolocation appears to be a little hard to nail down for the client IP indicated in the notification, but it seems to me that the firewall app worked as expected, unless I'm misunderstanding something.

    But more importantly, in my opinion, judging from the comments at AbuseIPDB, Intrusion Prevention almost certainly could have blocked the attempt as coming from a known bad actor or compromised server. Just for what it's worth.

  8. #8
    Master Untangler carboncow's Avatar
    Join Date
    Aug 2011
    Location
    Central Ohio
    Posts
    295

    Default

    Quote Originally Posted by Sam Graf View Post
    I've been following this and I'm a little confused. As near as I can tell, Untangle didn't identify the IP as coming from Bulgaria. but as from the US. (AbuseIPDB assigns it to London, UK.) Geolocation appears to be a little hard to nail down for the client IP indicated in the notification, but it seems to me that the firewall app worked as expected, unless I'm misunderstanding something.

    But more importantly, in my opinion, judging from the comments at AbuseIPDB, Intrusion Prevention almost certainly could have blocked the attempt as coming from a known bad actor or compromised server. Just for what it's worth.
    The long and lat put is Kansas. Where does the long/lat values come from?
    The IP address lookup is Bulgaria

    I'm wondering how the longitude and latitude is generated if the client IP says 5.188.206.54 which is in bulgaria.

  9. #9
    Master Untangler Sam Graf's Avatar
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    927

    Default

    Quote Originally Posted by carboncow View Post
    The long and lat put is Kansas. Where does the long/lat values come from?
    The IP address lookup is Bulgaria

    I'm wondering how the longitude and latitude is generated if the client IP says 5.188.206.54 which is in bulgaria.
    The latitude and longitude come from Untangle's identification of the client country as US, I'm sure. Your manual lookup may be right, but that's not what Untangle thought at the time.

    "clientCountry": "US"

  10. #10
    Master Untangler carboncow's Avatar
    Join Date
    Aug 2011
    Location
    Central Ohio
    Posts
    295

    Default

    Quote Originally Posted by Sam Graf View Post
    The latitude and longitude come from Untangle's identification of the client country as US, I'm sure. Your manual lookup may be right, but that's not what Untangle thought at the time.
    So now that you guys helped me work through this a bit the question begged now is how does UT come up with the country and/or Lat/Long that gives us KS & US? Why would they not go off Client IP even if it's spoofed? What magic does UT know that I don't on determining location?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2