Read your firewall logs!
All firewalls log information either locally or to a centralized logging server. You should review your logs daily, preferably first thing in the morning, to see if any suspicious activity occurred overnight. Here's a basic list of things to watch for:
- Look for probes to ports that have no application services running on them. Before hackers try to install backdoor Trojan horse programs, they usually try to determine whether you're already using the ports these programs use. When you see a lot of probes to some oddball port number, you can compare the number against well-known hacker programs and see if it has a hacker Trojan associated with it. For example, a lot of probes to port 31337 might mean that someone is getting ready to try to install BackOrifice on your network.
- Look at the IP addresses that are being rejected and dropped. Where are they coming from? To find out, try to resolve the IP address with a name using ping -a IP address. If it's real, you can resolve the domain with the "Who Is" database, call up the owner, and find out why someone at his site is probing your ports. Often the owner will be an ISP, who can pinpoint the perpetrator of the probe if the perpetrator is one of the ISP's customers.
- Look for unsuccessful logins to your firewall or to other mission-critical servers that it protects. If you see a lot of unsuccessful logins from the same domain, you may want to write a rule to drop all connections from that domain or IP address. Before doing so, make sure that the IP address is not being spoofed.
- Look for suspicious outbound connections. For example, outbound connections coming from your public Web server could be an indication that an intruder is launching an attack against someone else from your Web server.
- Look for source-routed packets. Packets with a source address internal to your network that originate from outside your network could indicate that someone is trying to spoof one of your internal addresses in order to gain access to your internal network.
If you read the log files every day, you'll get a feel for what is normal and abnormal connection behavior. Sometimes you'll notice abnormal behavior, and initially may not know what action to take. When that happens, research the abnormal behavior to determine whether you should take further action. A good place to seek assistance is your firewall vendor. Call the vendor up and ask for recommendations. Most should be glad to help.Installing a firewall, configuring its rule-set, and letting it pass or deny traffic is not good enough. You also need to continuously monitor your firewall's log files. By reviewing your firewall logs, you can determine whether new IP addresses are trying to probe your network, and whether you want to write new and stronger firewall rules to block them, or trace the probes and take some sort of management action.
All firewalls log information either locally or to a centralized logging server. You should review your logs daily, preferably first thing in the morning, to see if any suspicious activity occurred overnight. Here's a basic list of things to watch for:
- Look for probes to ports that have no application services running on them. Often, before hackers try to install backdoor Trojan horse programs, they try to determine whether you're already using the ports these programs use. When you see a lot of probes to some oddball port number, you can compare the number against well-known hacker programs and see if it has a hacker Trojan associated with it. For example, a lot of probes to port 31337 might mean that someone is getting ready to try to install BackOrifice on your network.
- Look at the IP addresses that are being rejected and dropped. Where are they coming from? To find out, try to resolve the IP address with a name using
ping -a <IP address>
. If the IP address is spoofed (a fake), you won't be able to find the owner. If it's real, you can resolve the domain with the "Who Is" database, call up the owner, and find out why someone at his site is probing your ports. Often the owner will be an ISP, who can pinpoint the perpetrator of the probe if the perpetrator is one of the ISP's customers. - Look for unsuccessful logins to your firewall or to other mission-critical servers that it protects. If you see a lot of unsuccessful logins from the same domain, you may want to write a rule to drop all connections from that domain or IP address. Before doing so, make sure that the IP address is not being spoofed.
- Look for suspicious outbound connections. For example, outbound connections coming from your public Web server could be an indication that an intruder is launching an attack against someone else from your Web server.
- Look for source-routed packets. Packets with a source address internal to your network that originate from outside your network could indicate that someone is trying to spoof one of your internal addresses in order to gain access to your internal network.
If you read the log files every day, you'll get a feel for what is normal and abnormal connection behavior. Sometimes you'll notice abnormal behavior, and initially may not know what action to take. When that happens, research the abnormal behavior to determine whether you should take further action. A good place to seek assistance is your firewall vendor. Call the vendor up and ask for recommendations. Most should be glad to help.
Laura Taylor is the Chief Technology Officer and founder of Relevant Technologies. Ms. Taylor has 17 years of experience in IT operations with a focus in information security.