Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19
  1. #11
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    I'll give him a heads up.

    It was already blocking those hosts. The logging of shield blocks is not enabled by default but you can enable them in config > network > advanced > log blocked sessions. These aren't enabled by default because it logs a lot of stuff, but I enabled it on your server. After doing so you can indeed see that the shield is blocking tons of traffic from very aggressive hosts in reports > shield > top blocked clients.

    The problem is that there are many of them and its just a little j1900 so its working hard just to block those.

    So I added a trigger rule in config > events > trigger to tag hosts as "infected" if they create more than 1000 shield block events in 60 seconds. The tag lasts for 24 hours. (Feel free to change or remove this entirely).
    I think added a rule to block infected hosts entirely in config > network > filter rules.
    If you wanted you could block everything except port 80 and 443 and send those to a special policy with a captive portal that says "Hey, your crap is infected please get off my network." - but for now I just put a block rule in place.

    The nice thing about this approach is that you can now easily just click on "Hosts" to see which hosts on your network are infected with whatever botnet/malware is doing this. Just look at the ones marked "infected"

    The new trigger rule appears to have already kicked in for 192.168.2.61, which is now blocked because its going crazy flooding port 445.
    It will be blocked until the tag expires (~24 hours), at which point it will probably still be flooding and will just get blocked again for another 24 hours.

    Hopefully that will work. There are a few other approaches that we could also use to accomplish the same thing if you don't like that.

    If you didn't want me to make changes I apologize. Its 3am there now so I know you're not around.
    Last edited by dmorris; 06-27-2018 at 05:37 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  2. #12
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    Hi dmorris
    Thanks for your great support with in depth details.
    This will surely help me further.

    I saw you have disabled Filter rule which was made to block session if destination port in 445 (under filter rule)
    Is that ok?

    also still there some devices which are still sending traffic on port 445, may be they are less than 500 sessions per 60 seconds and so not being tagged.
    so i am thinking to enable rule which blocks the session if destination port is 445.
    Would it be good?

    thanks

  3. #13
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by sanketgroup View Post
    Hi dmorris
    Thanks for your great support with in depth details.
    This will surely help me further.

    I saw you have disabled Filter rule which was made to block session if destination port in 445 (under filter rule)
    Is that ok?

    also still there some devices which are still sending traffic on port 445, may be they are less than 500 sessions per 60 seconds and so not being tagged.
    so i am thinking to enable rule which blocks the session if destination port is 445.
    Would it be good?

    thanks
    Yes, it would be fine to re-enable that rule.
    Just keep in mind that the filter rule blocks before the shield rule, so the shield will see much less if you outright block it.
    I just disabled it so the shield would kick in and we could see the trigger rule in action.

    If you learn which botnet/malware is on that machine please update us.
    We have seen many cases of scanning the internet for open port 445 (a commonly attacked msft directory port). Its likely some botnet operator is looking for more vulnerable hosts.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #14
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    Also, be careful on logging settings for whichever rule/subsystem you let do the 445 blocking. If logging is enabled, and the sessions get high enough, it can impact performance simply logging all of the block events.

  5. #15
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    True, you could always disable config > network > advanced > log blocked sessions again.
    I just turned it on for better visibility while troubleshooting.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #16
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    In my case I intentionally do port 445 blocking in a firewall rule, as I *do* want the sessions logged, but I don't want all of the other filter blocks logged.

    Lots of options here for the end user.

  7. #17
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    two files in c:\windows directory:
    mssecsvc.exe
    mssecsvr.exe

    these two are malicious and they say it is wannacry ransomware.
    If i delete those two files in client pc then there is no more sessions from those client.

  8. #18
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Thanks.

    That makes sense. Wannacry orginally spread via port 445, so its probably just an old variant looking for vulnerable hosts and not a botnet.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #19
    Master Untangler
    Join Date
    May 2010
    Location
    Texas, USA
    Posts
    712

    Default

    Well, remember that there was a report earier this week from the Ukraine that they believe (have proof) Russia is actively polluting their systems again to make a coordinated attack sometime in the near future.

    Could be the original WannaCry, or could be some new variant...

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2