Intrusion detection on Netcom modem log

Jjpeet
Conductor
1 Reply 3809 Views

Hi all,

I’m getting many of these log entries every day;

 

Intrusion -> IN=ppp0.1 OUT= MAC= src=162.142.125.238 DST=112.213.199.2 LEN=44 TOS=0x00 PREC=0x00 TTL=36 ID=49995 PROTO=TCP SPT=36157 DPT=3015 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000

 

I’d like to work out what is going on, but there doesn’t seem to be any intrusion detection functions in the modem’s user interface. The destination IP is my IP, and the source is always different.

 

Can anyone tell me whether this is an actual intrusion attempt, and whether it was successful or not? 

 

Thx

JJP

 

4 REPLIES 4
Tara_AGL
AGL Moderator
1 Reply 3776 Views

Hi JJP,

Thank you for reaching out. I would like to investigate this for you, may I please confirm where you are seeing the intrusion logs? Is this through your Virus Security Software?

 

Thank you,

Jjpeet
Conductor
1 Reply 3774 Views

It is the system log of my AGL supplied Netcom NNF20MESH modem.

 

I have configured the modem to send all system logs to a Synology logging server on my home network which is capturing all logs. I'm doing this because the modem's built-in log viewer only shows a few log entries whereas my Synology captures them all, and sends me alerts for critical log entries like these.

 

I'm getting many of these per day, and have no idea what the modem is doing about these intrusion attempts (if anything). Intrusion attempts are common, and there are also common ways to foil them - I'd like to know at least what the modem is doing, and (better) why the modem does not seem to be giving me any interface that allows me to configure its response.

 

Thx

JP

 

Here are a few more;

Date Time Level Host Name Category Program Messages

2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=81.68.205.215 DST=112.213.197.177 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=19567 PROTO=TCP SPT=57230 DPT=2376 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=124.197.4.192 DST=112.213.197.177 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=21683 DF PROTO=TCP SPT=60220 DPT=60000 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=124.197.4.192 DST=112.213.197.177 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=21682 DF PROTO=TCP SPT=60220 DPT=60000 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=162.142.125.92 DST=112.213.197.177 LEN=44 TOS=0x00 PREC=0x00 TTL=36 ID=14188 PROTO=TCP SPT=64087 DPT=14406 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=124.197.4.192 DST=112.213.197.177 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=21681 DF PROTO=TCP SPT=60220 DPT=60000 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=124.197.4.192 DST=112.213.197.177 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=21680 DF PROTO=TCP SPT=60220 DPT=60000 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=124.197.4.192 DST=112.213.197.177 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=21679 DF PROTO=TCP SPT=60220 DPT=60000 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=79.124.62.82 DST=112.213.197.177 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=1614 PROTO=TCP SPT=56414 DPT=38211 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=79.124.62.130 DST=112.213.197.177 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=36497 PROTO=TCP SPT=56418 DPT=61439 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=79.124.62.130 DST=112.213.197.177 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=45883 PROTO=TCP SPT=56418 DPT=48367 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
2022-04-3019:04:40Alertcloudmesh.homeuserkernelIntrusion -> IN=ppp0.1 OUT= MAC= src=45.143.203.59 DST=112.213.197.177 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=19736 PROTO=TCP SPT=53194 DPT=13360 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
Tara_AGL
AGL Moderator
1 Reply 3752 Views

Hi JP,

 

Just checking in to let you know this one is being reviewed by my IT team so that I can get a bit more understanding myself. Will get back to you with some more information soon.

 

Thanks!

Tara_AGL
AGL Moderator
0 Replies 3750 Views

Hi @Jjpeet 

 

I have heard back with a bit more of a technical answer.

 

These logs are indicating that your modem has a basic firewall inbuilt into it and its turned on, with no port forwards activated on the specific ports these requests are coming to. This means you have no open permissions active that allows access to your modem. These logs are someone requesting access and it is automatically being blocked as no permissions are turned on for external access)

In your specific examples above, your firewall is repeatedly blocking a request from IP address 162.142.125.238 that is trying to access Destination Port 3015 using Protocol TCP at your IP address.

Tara_AGL_0-1652318433763.png

 

Essentially, this is what we would typically expect your modem to be doing and means the firewall in the modem is doing its job and blocking the requests. These don't flag as Intrusions in the modem as this is the standard format of a log, and would display the same as if you were to permit someone to access your modem but it was unsuccessful. 

 

I hope that provides some clarity, and appreciate your patience while I myself got a quick education on Modem security!

 

Thanks,