Page 7 of 7 FirstFirst ... 567
Results 61 to 65 of 65
  1. #61
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    In Web Filter, online-metrix.net categorizes as Computer and Internet Info. That's a pretty big net. I'm hoping Untangle users can think creatively to address this technology, a technology that's benign and protective, and yet one that's arguably intrusive from a local network security point of view.
    f1assistance likes this.

  2. #62
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,495
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  3. #63
    Master Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    101

    Default

    So just thought I'd post this here as an aside... I recently enabled more of the Intrusion Prevention rules now that I'm learning more about NGFW and how it works.

    One of the rules that started blocking stuff was signature ID 2016149 - ET INFO Session Traversal Utilities for NAT (STUN Binding Request) I did a lookup on the destination IP (192.225.158.2) and it resolved back to ThreatMetrix. I know that IPs can be spoofed etc, but thought it was interesting since the first time I came across that name was in this thread in relation to the whole eBay script.js thing.

    I'll admit that I don't know too much about what STUN is meant for - perhaps it's legit activity that's been blocked or nothing of great note.
    Jim.Alles likes this.

  4. #64
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,495
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  5. #65
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Lightbulb dnsmasq detects browser scans

    While digging through the various places that dnsmasq deposits log entries, I found this and various other ones:
    /var/log/daemon.log:Aug 11 06:18:44 untangle-u25xw dnsmasq[63181]: possible DNS-rebind attack detected: 9p00aymw-7dc3adc94a4a2869ebd49717cc50a01ff6e8b148-mob.d.aa.online-metrix.net

    /var/log/daemon.log.1:Aug 8 04:17:27 untangle-u25xw dnsmasq[39126]: possible DNS-rebind attack detected: sinkhole.netmng.com
    /var/log/daemon.log:Aug 10 18:16:11 untangle-u25xw dnsmasq[124101]: possible DNS-rebind attack detected: rapidshare.com
    /var/log/daemon.log.1:Aug 8 04:17:28 untangle-u25xw dnsmasq[39126]: possible DNS-rebind attack detected: rbmeuulvihtwm2eltjhwimi2.httpschecker.net
    This is the NGFW advanced option that enables that protection:
    Code:
    # Reject (and log) addresses from upstream nameservers which are in the private ranges. 
    # This blocks an attack where a browser behind a firewall is used to probe machines on the local network. 
    stop-dns-rebind
    additional, related options from http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html are:
    • rebind-domain-ok
    • rebind-localhost-ok

    There are links to great whitepapers on the subject at the bottom of: DNS-rebinding Wikipedia page.

    OpenDNS has a security option to help protect from these attacks.
    pfSense, OpenWRT, DD-WRT, & LEDE seem to have this stop-dns-rebind option enabled by default. NGFW does not. YMMV

Page 7 of 7 FirstFirst ... 567

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2