Announcement

Collapse
No announcement yet.

A few questions about interpreting events in TP logs

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    A few questions about interpreting events in TP logs

    1) Looking in the 'Non-Web Blocked Events' report, I saw this IP listed as 'High Risk': 162.248.241.94.

    a. First off, stuff that shows up in this report is inbound, unsolicited, right?

    b. The hostname on my LAN this was associated with was my VoIP box. Safe to ignore? Should I follow the advice I read on another post and just use the bypass for devices like this?

    c. Since the IP -might- change.....being DHCP, you never know I guess?.... is there a way to bypass based on MAC address?

    2) I saw some (port scanning?) hits from from a few international IPs. Looks like they're all on port 32400....one of the very few ports I have open (for Plex). Looks like the TP module blocked them....(I think).... but...

    a. is there a way to ratchet up the response like a Fail2Ban thing. Where if so many hits come in, Untangle will automatically block that IP from every talking to me again?

    b. Or do I play whack-a-mole and start manually creating firewall rules for repeat abusers?

    Click image for larger version Name: untangle threats.png Views: 1 Size: 101.1 KB ID: 387341

    Click image for larger version Name: untangle threats details.png Views: 1 Size: 44.8 KB ID: 387342
    Tags: None
  • #2
    1 c. Since the IP -might- change.....being DHCP, you never know I guess?.... is there a way to bypass based on MAC address?
    Setup a dhcp reservation.

    2 a. is there a way to ratchet up the response like a Fail2Ban thing. Where if so many hits come in, Untangle will automatically block that IP from every talking to me again?
    Put failto ban on your plex server and or use a vpn.

    Comment

    • #3
      Originally posted by road hazard View Post
      1) Looking in the 'Non-Web Blocked Events' report, I saw this IP listed as 'High Risk': 162.248.241.94.

      a. First off, stuff that shows up in this report is inbound, unsolicited, right?
      Stuff that shows up in that report is non-web traffic (i.e., not HTTP[S]) which has been blocked. The report itself has no inherent directionality; it shows both inbound and outbound traffic. The 'client' IP address is the one that initiated the connection, so if that's a public IP, then yes: that particular session originated outside your network.

      Originally posted by road hazard View Post
      b. The hostname on my LAN this was associated with was my VoIP box. Safe to ignore? Should I follow the advice I read on another post and just use the bypass for devices like this?
      Probably safe to ignore. The 'hostname' attribute is sometimes a little…fluid. That just shows you a hostname involved with the session, so if it's something you recognize from inside your network and the 'server' IP coincides with that hostname, then it's just another ID for that same device. In this case, the hostname doesn't give us information we didn't already have.

      As for bypassing the device, that depends whether you want it processed by the things in the Apps page. If not, then bypass away!

      Originally posted by road hazard View Post
      c. Since the IP -might- change.....being DHCP, you never know I guess?.... is there a way to bypass based on MAC address?
      Sadly, no. In this case it may not matter anyway: MAC address is used for local routing, but it doesn't get passed beyond a router in most cases. This means we typically won't get MAC addresses for external devices anyway.

      Originally posted by road hazard View Post
      2) I saw some (port scanning?) hits from from a few international IPs. Looks like they're all on port 32400....one of the very few ports I have open (for Plex). Looks like the TP module blocked them....(I think).... but...
      Do you have a Port Forward Rule for that port? That opens the port to the internet, which will make it visible to port scans.

      Originally posted by road hazard View Post
      a. is there a way to ratchet up the response like a Fail2Ban thing. Where if so many hits come in, Untangle will automatically block that IP from every talking to me again?
      Unfortunately not. NGFW isn't that smart yet.

      Originally posted by road hazard View Post
      b. Or do I play whack-a-mole and start manually creating firewall rules for repeat abusers?
      If you want to block it at the firewall/gateway level, yes. You'll have to keep a close eye on reports and create rules to block offenders. If you've got IP addresses, I recommend doing so in Config > Network > Filter Rules instead; those operate at layer 3 and happen before the Firewall app ever sees that traffic.

      You can also use the Firewall app to set up geoip blocking rules, if you see repeat offenders from particular countries: How to block traffic to or from a specific country

      Finally, as donhwyo suggests upthread, you could install/modify blocking settings on your Plex server itself.
      Græme Ravenscroft • Technical Marketing Engineer
      ('gram', like the unit of measurement)
      he/him
      How can we make Arista ETM products better?

      Comment

      Previous template Next
      Working...
      X
      😀
      🥰
      🤢
      😎
      😡
      👍
      👎