Need help with troubleshooting

Printable View

08-19-2020, 09:45 AM
mikel

Need help with troubleshooting

A few days ago I started to notice a consistent number of FTP events in my daily report. They are being caused by a program I wrote that communicates with the 4 wireless access points I have in my home to query which wireless devices are currently attached to them on the 2.4GHz and 5 GHz bands. The program just sits there and every minute contacts each of the AP's for the information it needs to update my display. It works!
Two of the access points are NetGear PLW1000v2 powerline devices. I had to reverse engineer the http interchange that goes on between the device and someone logging into its web interface since those devices don't support a Telnet interface. It is the logon process to the PLW1000 that is generating the FTP event. It happens even if I log in from a browser, so its nothing in my program that causes it.

So I'm trying to figure out what the FTP event is and who is communicating with whom.

Am I right in understanding that the FTP event that Untangle logs would have to be with an external entity? When I look in reports I cannot find any information about the events. Can someone point me in the right direction there.

I did try looking in the sessions data to see what was being captured there when I login to the PLW1000. I consistently only see 2 entries both UDP Packets being sent to the IP address of Untangle.

1. A UDP Packet being sent to port 53 which I assume is some kind of DNS request but the session details don't provide any useful data.

2. A UDP packet being sent from port 68 to port 67 which I assume is DHCP related.

I can see no other session data related to that device. So would the 2 session events above cause an FTP event to be logged and if so why?

Thanks in advance
Mike
08-20-2020, 07:04 AM
mikel

Well a little more digging did uncover some more data. In the Firewall All Events Report I was able to see that the Powerline Adapter was indeed starting a TCP session to a server on port 21 followed by another session where small amounts of data are exchanged ~1KB in each direction.

The sessions are always to one of 3 destination IP's which when I look them up belong to amazon.com and are for servers in Dublin, Ireland.

I have no idea what kind of data is being sent, as I said yesterday it always, and only, coincides with a login event to the web server in the adapter.

I added a Firewall rule to block them with the only adverse affect being hundreds of flagged events on the dashboard. Unfortunately, I cannot disable a "flag" on a blocked event in the Firewall.

Mike
08-20-2020, 08:51 AM
Jim.Alles

Well, good detective work!

You have discovered IoT devices that want to phone home, without your permission or knowledge, and without disclosing the purpose.
Welcome to the surveillance world that we live in!

That is the type of device that I would prevent from having any contact with the outside world.
That goes beyond "Don't allow it to do DNS, DHCP, or FTP"

There are two methods to ID the things, I think I would give the devices the same tag in {Devices}, and then put a [Filter Rule] in place to block all traffic to AnyWAN interface.

This is what I term 'jailing'.

Feel free to ask questions liberally. I am going to get coffee.
08-20-2020, 10:19 AM
mikel

Thanks for the feedback Jim. When you say create a filter rule to block all WAN traffic did you mean a web filter rule or a Firewall rule?
I set up a Firewall rule based on the IP address of the adapter, which is fixed, and to block everything to the external interface. That works except for all the flagged messages in the dashboard.

I then tried the tag approach and created a webfilter rule to block based on the tag and again chose to block everything the external interface. That rule doesn't seem to work.

Mike
08-20-2020, 11:18 AM
LaurentR

You can use a filter rule or a firewall rule. These definitely have overlapping functionality, but with clear differences that may make you choose one vs. the other. Look at the bottom of this wiki page for more information:
https://wiki.untangle.com/index.php/Filter_Rules

I don't need the policy manager for those, so decided to use the Filter Rules for "jailing". It keeps it tidy and collocated with related VLAN rules and you can also block things like ICMP, which you can't in the firewall.
08-20-2020, 11:22 AM
Jim.Alles

1 Attachment(s)

Filter rules generally won't have any logging.

Attachment 10512

Also, the Firewall App is limited to only being able to block TCP/UDP sessions.
08-20-2020, 11:26 AM
mikel

Quote:

Originally Posted by Jim.Alles

Filter rules generally won't have any logging.

Attachment 10512

Also, the Firewall App is limited to only being able to block TCP/UDP sessions.

Thanks Guys. My mind was fixated on WEB filter rules and not the network filter rules.
Maybe I need more coffee 😄