Multiple connection attempts to my network

First post. Be gentle :slight_smile:

I’ve got a pfSense setup as of about 2 months ago. Before that, I was running an Asus Router with Advanced Tomato firmware. I’ve been digging into the firewall logs on my pfSense box, and I am receiving a lot of connection attempts from dubious IP’s. China, Eastern Europe, Russia etc, on a random range of ports. All have been blocked by the firewall, so no damage done yet.

I’ve got a few ports open for services I need outside my network. I run an Unraid server with a reverse proxy to selected Docker containers. OpenVPN, web access to a few containers via HTTPS, and my Plex server. I use a dynamic DNS which in turn is accessed via various CNAME entries to my own domain. All other ports are closed and I only have what I need open.

My question is two fold:

  1. Is the kind of traffic and these kinds of intrusion attempts “normal”? I assume it’s different botnets scouring the net and making connection attempts to random IP’s until it gets a hit, but I’d like an opinion regardless.
  2. Is there anything I can do in order to reduce my potential footprint and reduce the attempts?

I’d appreciate any input. Thanks.

Most likely normal. Yours might be higher if they are picking up your open ports, it might peak their interest to look more deeply at you.

I feel like before I got pfsense, these scans were happening against my ASUS router and I just didn’t know. I think I average about 5000 blocked attempts per hour during peak times.

That’s kind of what I was thinking as well. Since my Asus router just didn’t let me access logs in the same manner, I was just oblivious due to lack of information. Funnily enough, there have been no acccess attempts to my open ports as far as I can tell.

There most likely has especially if your using standard ports as pfSense doesn’t log firewall rules by default unless you tell it to by checking the Log packets that are handled by this rule under extra options tab for the specific firewall rule.

all rules that have logging enabled should show this icon below the rule action

Screenshot from 2020-04-24_14:17:27

1 Like

Yeah they’re normal. Every time I got a dedicated server or VPS, the number of IPs scanning ports and trying to connect to them (SSH, FTP were the most targeted, obviously) was ridiculous, in the thousands per day, mostly from China.

I guess known IP ranges from hosting providers are more desirable targets, but nothing stops them from scanning all of the IP ranges in existence if they have the time heh.

You can move services (SSH, HTTP, VPN, etc, if any) to more obscure ports to reduce login attempts, and close all unused ports. That should make at least some of the bots remove your IP from the list. But new ones pop up all the time.

Examining firewall logs is a good way to make yourself paranoid. Port scans of your firewall are extremely common out on the internet, you just weren’t previously aware of them.

The thing is, what gets logged is getting blocked (that’s a good thing). What doesn’t get logged are successful transmissions which is where an attack you should be worried about is going to happen.

Be concerned for the ports you leave open, and any services and their logs are what you should be more concerned with. Keep any such services up to date and be aware of any announcements of vulnerabilities. Be aware of a spike in bad password attempts, etc.

You can geoblock China and Russia and any other areas that are hitting you especially often.

I’m always super surprised at how sloppy and inefficient most of this software is. Like they’ll go down the dictionary of ssh usernames one username every 3-4 seconds. And from same IP every attempt. Next day they’ll start again at aardvark.

TL;DR nothing to worry about. But make sure those failed login attempt logs don’t fill up your disk or burn through your SD card in case that’s what you’re using - forward logs externally or just rotate them if you don’t care about older logs being preserved for long.

I stopped this from happening by setting up 7 loadbalanced VPN connections on all sessions from my LAN. With split routing set up so I can host services. Only ports i have open are 80/443 and one for SSH past port 10000.

If I want to connect to my postgres server from outside, I use SSH to map the remote port.

ssh -L <remote if ip>:<remote port>:<local if IP>:<local port> -p <SSH port> <your domain/wan IP>

# so this could be
ssh -L -p 13575

Now you can use your service as if it was local. And your wan side can be quite closed. I also use it to vnc to workstation at work.