I was looking at my firewall logs the other day and not really seeing anything to write home about. Then, I thought about sorting the monitoring traffic scan by country, and there it was—China.
China was doing port scans on my public IP address. I was able to grab some screen shots of the detection’s. I am going to briefly describe the anatomy of the chart to help with the understanding of the log information – See Figure 1
Source: Text Box 1
Source, is what it sounds like—the source. In our case, the source IP is 60.217.75.69 on port number 51902 coming in from the Internet, WAN, wide area network, and China is the source country.
Destination: Text Box 2
The scan from China is going to the United States to IP address 173.9.0.0 – My IP Address. I deleted the last two octets to obscure my IP public address, and the scan is going against port 443 on my firewall interface.
Action: Text Box 3
This is the action the firewall took against the scan with the programed rules. The scan was denied and blocked.
Why is China doing this? I don’t have national secrets, I am not a government agency, and I’m just not that interesting.
I had people in other countries also doing scans, so I blocked them and China on the firewall. Meaning, that any attempt to connect to my IP address from China or any other country—that I have blocked—will be immediately dropped. However, if I choose to connect to a website in China because of some literature on motherboards, the firewall will not block the outgoing attempt, just the unsolicited attempt from China.
The Why?
So, let’s get back to the why are they doing this. It’s not just China that is doing the scanning, there are other countries involved as well, and they are not just targeting my IP address, but whole blocks of IP addresses. Individuals are very busy looking for vulnerabilities and open ports. Just a quick search through the web shows this is an issue.
There are several reasons for this behavior:
- Information to pilfer on a network
- Plant Crypto / Spyware on the network
- Beach head in the US
The first two are pretty self-explanatory, they want information and they want to encrypt your system to hold for ransom, pictures and all. However, the third one, is a bit insidious and may need more explanation.
They are looking for a Beach Head:
This is the same reason why some people use VPN’s to stream content from providers. The persons home country is not allowed the content for some reason. To get around this, users acquire VPN’s to obscure the country of origin, and stream the content.
This is the same reason why the bad guys want your system. They want your system for the beachhead reasons. They know some people and companies have firewalls that will drop IP scans. To get around this issue, they are actively looking for computers in the United States they can compromise and install remote control software on your system, and use your system to remotely do port scans from inside the United States while connected in China.
They don’t want to disable your system in any way. They want to you to have full use so you don’t suspect there is anything wrong with your computer and go looking for a problem. Or, worse yet think there is something in there and can’t find it – so you do a whole system wipe and re-load, and when you do that you get rid of the beach head most of the time.
Another use of beachhead systems is in a Denial of Service Attack, DOS. With a compromised system, found during a port scan, or an unfortunate click of the mouse, the system is infected. The infected computer(s) is used to send bogus requests to an IP address. It’s not just one computer—it’s thousands of computers, refrigerators, TV’s, cars—anything electronic that will take an IP, not properly secured, sending millions of requests a second effectively renders any service the target IP address was offering useless and legitimate service is denied.
What do you do? Buy a good Firewall!
Five or six years ago I would have been very hesitant to suggest to a small business to purchase an enterprise grade firewall. With cyber attacks increasing, and cyber gangs looking to buying ad space on legitimate websites for Cryptoware reasons, my opinion has vastly changed. We here at Arnold Consulting have standardized on the Fortinet as our firewall vendor of Choice.
What does a firewall do for you?
Fortinet will secure your internet connection in many different ways, but I will go over a few that I commonly use.
- Geo-Blocking: With Geo-Blocking you can actively block bad actor countries from scanning your IP address looking for vulnerabilities in Windows—known as Zero day or open ports that you have open to the Internet, services running on. If a country is blocked, the firewall will not process attempt to connect. However, if there is a website in the blocked country you need to see because it has value, the firewall will not block your attempt to access it.
- Bad Actor Country: How do you know? The firewall has logs that you can look at. These will tell you where an inbound connection came from, and what port it was trying to access. If this is something you did not do yourself—then why is that IP address trying to access your system. Block the country.
- Intrusion Prevention System: Definition taken from Fortinet site. “An Intrusion Prevention system (IPS) helps organizations in identifying malicious traffic and proactively blocks such traffic from entering their network. Products using IPS technology can be deployed in-line to monitor incoming traffic and inspect that traffic for vulnerabilities and exploits, and if detected then take appropriate action as defined in the security policy such as blocking access, quarantining hosts or block access to external websites that might result in a potential breach.” https://www.fortinet.com/resources/cyberglossary/what-is-an-ips
Remember not long ago there was the Log4j vulnerability discovered you can read more about it here. If you had IPS activated, the Fortinet, firewall, would have blocked the intrusion attempt before it got to your PC keeping the network safe.
- Antivirus Scanning: Fortinet is one of a very few firewalls that have antivirus scanning capability meaning there is a second chance to stop a virus before it enters your network. All internet traffic has to come through the Fortinet. If you have turned on the Antivirus scanning, the FortiGate will scan looking for malware before it gets to the desktop in addition to the Antivirus you already have installed on your computer.
- Securing Remote Connections: I have a Vendor that needs to connection to my network to work on a PC that I have with marketing information, and she does it remotely with a Mac. I had setup remote desktop for her, but I soon realized by looking at the logs the Remote Desktop connection port I setup for her was actively trying to be accessed, and it was only a matter of time before a bad guy got in and compromised the network.
So, I figured out how to get a Dynamic IP address that I can always know the IP of, for her business. I created a rule in my FortiGate Firewall that would let this IP address, name, always connect to Remote desktop. However, if you were coming from another unknown IP address, the connection attempt would be dropped.
- Shut the Internet off on your pre-teen / teen devices: We have a preteen child, and when this child does not do what we want, I flip off the Internet on his Computer, IPod, and Nintendo. When he is more compliant, Internet comes back on his devices. Notice I mentioned his devices not mine nor my wife’s connectivity. We regularly shut off the internet at night on his devices so he is not tempted to get on them as well as the Smart TV / Apple TV’s we have connected to the network.
The list of what a Fortinet firewall does goes on, and its uses is only limited by your imagination. A few years ago, I would have never suggested this to a small business thinking this is really over kill their modem should be enough with NAT translation to protect the network.
I can remember a time when I did not run antivirus on a computer in the very late 1980’s and computer viruses were—what is that computers can catch a cold- that was my first thought when I heard the word combination computer virus.
However, that is not the case in 2022 computer viruses are a common notion as well as information breaches. A firewall is now a really necessary layer of defense, what I thought was over kill just five or six years ago.
The Expense of the thing:
As the reader you may be thinking, “oh the expense—the humanity of it all,” well yes, there is a cost, but when you break it down on a daily use basis, it’s pretty reasonable.
These devices are software / hardware as a service. There is the initial cost of the device and there is a support fee yearly, and if you break down the price to per day, it works out to about $2.00 for a really powerful security appliance.
So, it’s like a visit to Starbucks ordering a Caramel Macchiato every Monday, Wednesday, and Friday.
Still want China to be your Valentine?
Arnold Consulting is a partner with Fortinet. We can very easily configure this for your small company. Is this going to stop everything from coming into the network – No? If a hacker is bound and determined to get into your network, they will. However, by installing a Fortinet firewall into your network, your company just made it exponentially more difficult, and perhaps the hacker will move on and find better employment elsewhere.
Call Arnold Consulting and let’s talk about your network security.