Results 1 to 3 of 3
  1. #1
    Untanglit
    Join Date
    Jul 2021
    Posts
    27

    Question A few questions about interpreting events in TP logs

    1) Looking in the 'Non-Web Blocked Events' report, I saw this IP listed as 'High Risk': 162.248.241.94.

    a. First off, stuff that shows up in this report is inbound, unsolicited, right?

    b. The hostname on my LAN this was associated with was my VoIP box. Safe to ignore? Should I follow the advice I read on another post and just use the bypass for devices like this?

    c. Since the IP -might- change.....being DHCP, you never know I guess?.... is there a way to bypass based on MAC address?

    2) I saw some (port scanning?) hits from from a few international IPs. Looks like they're all on port 32400....one of the very few ports I have open (for Plex). Looks like the TP module blocked them....(I think).... but...

    a. is there a way to ratchet up the response like a Fail2Ban thing. Where if so many hits come in, Untangle will automatically block that IP from every talking to me again?

    b. Or do I play whack-a-mole and start manually creating firewall rules for repeat abusers?

    untangle threats.png

    untangle threats details.png

  2. #2
    Untangler
    Join Date
    May 2008
    Posts
    592

    Default

    1 c. Since the IP -might- change.....being DHCP, you never know I guess?.... is there a way to bypass based on MAC address?
    Setup a dhcp reservation.

    2 a. is there a way to ratchet up the response like a Fail2Ban thing. Where if so many hits come in, Untangle will automatically block that IP from every talking to me again?
    Put failto ban on your plex server and or use a vpn.

  3. #3
    That Which Lurks Below
    Join Date
    Jul 2018
    Posts
    134

    Default

    Quote Originally Posted by road hazard View Post
    1) Looking in the 'Non-Web Blocked Events' report, I saw this IP listed as 'High Risk': 162.248.241.94.

    a. First off, stuff that shows up in this report is inbound, unsolicited, right?
    Stuff that shows up in that report is non-web traffic (i.e., not HTTP[S]) which has been blocked. The report itself has no inherent directionality; it shows both inbound and outbound traffic. The 'client' IP address is the one that initiated the connection, so if that's a public IP, then yes: that particular session originated outside your network.

    Quote Originally Posted by road hazard View Post
    b. The hostname on my LAN this was associated with was my VoIP box. Safe to ignore? Should I follow the advice I read on another post and just use the bypass for devices like this?
    Probably safe to ignore. The 'hostname' attribute is sometimes a little…fluid. That just shows you a hostname involved with the session, so if it's something you recognize from inside your network and the 'server' IP coincides with that hostname, then it's just another ID for that same device. In this case, the hostname doesn't give us information we didn't already have.

    As for bypassing the device, that depends whether you want it processed by the things in the Apps page. If not, then bypass away!

    Quote Originally Posted by road hazard View Post
    c. Since the IP -might- change.....being DHCP, you never know I guess?.... is there a way to bypass based on MAC address?
    Sadly, no. In this case it may not matter anyway: MAC address is used for local routing, but it doesn't get passed beyond a router in most cases. This means we typically won't get MAC addresses for external devices anyway.

    Quote Originally Posted by road hazard View Post
    2) I saw some (port scanning?) hits from from a few international IPs. Looks like they're all on port 32400....one of the very few ports I have open (for Plex). Looks like the TP module blocked them....(I think).... but...
    Do you have a Port Forward Rule for that port? That opens the port to the internet, which will make it visible to port scans.

    Quote Originally Posted by road hazard View Post
    a. is there a way to ratchet up the response like a Fail2Ban thing. Where if so many hits come in, Untangle will automatically block that IP from every talking to me again?
    Unfortunately not. NGFW isn't that smart yet.

    Quote Originally Posted by road hazard View Post
    b. Or do I play whack-a-mole and start manually creating firewall rules for repeat abusers?
    If you want to block it at the firewall/gateway level, yes. You'll have to keep a close eye on reports and create rules to block offenders. If you've got IP addresses, I recommend doing so in Config > Network > Filter Rules instead; those operate at layer 3 and happen before the Firewall app ever sees that traffic.

    You can also use the Firewall app to set up geoip blocking rules, if you see repeat offenders from particular countries: How to block traffic to or from a specific country

    Finally, as donhwyo suggests upthread, you could install/modify blocking settings on your Plex server itself.
    Græme Ravenscroft • Technical Marketing Engineer
    ('gram', like the unit of measurement)
    he/him
    Please don't reboot your NGFW.
    How can we make Arista ETM products better?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2