我最近获得了一个新帐户并接管了他们的空间的管理,包括 SonicWall。
首先,我们更新了固件,因为之前的管理员没有跟上……太好了:)
因此,在重新配置 SonicWall 以使其成为真正的安全设备的浪潮中,我打开了 IDS 和事件警报。
我的邮箱里满是扫描警报。以下是其中一些。
奇怪的是,这些警报似乎有以下特征:通常源自 Web 端口 80 和 443,针对面向公众的 IP,这是我的一个美国客户,客户遍布全球,但我正在查看 IP 地址,并看到从冰岛到中国的信息。
有人能解释一下 IDS 误认为的合法服务吗?最初,IDS 阻断了所有 SIP 流量,直到我排除了异地 PBX,因此如果 IDS 阻断了更多流量而用户没有注意到或报告,我也不会感到惊讶。
04/18/2019 19:25:05 - 82 - Security Services - Alert - 77.247.109.151, 7659, X2 - XXX.178, 19090, X2 - udp - UDP scanned port list, 8080, 9060, 9070, 9080, 17070 - Possible port scan detected
This email was generated by: SonicOS Enhanced 6.5.3.1-48n (18B1-6993-2800)
04/18/2019 17:54:06 - 82 - Security Services - Alert - 198.61.165.71, 443, X2 - XXX.180, 64982, X2 - tcp - TCP scanned port list, 41016, 18069, 26794, 56346, 14356 - Possible port scan detected
This email was generated by: SonicOS Enhanced 6.5.3.1-48n (18B1-6993-2800)
04/18/2019 17:13:58 - 83 - Security Services - Alert - 5.8.18.90, 65532, X2 - XXX.180, 3364, X2 - tcp - TCP scanned port list, 3363, 3362, 3357, 3365, 3358, 3359, 3360, 3355, 3361, 3364 - Probable port scan detected
This email was generated by: SonicOS Enhanced 6.5.3.1-48n (18B1-6993-2800)
04/18/2019 17:13:58 - 82 - Security Services - Alert - 5.8.18.90, 65532, X2 - XXX.180, 3359, X2 - tcp - TCP scanned port list, 3363, 3362, 3357, 3365, 3358 - Possible port scan detected
This email was generated by: SonicOS Enhanced 6.5.3.1-48n (18B1-6993-2800)
04/18/2019 15:55:46 - 82 - Security Services - Alert - 205.180.85.169, 443, X2 - XXX.180, 52468, X2 - tcp - TCP scanned port list, 19366, 65141, 17474, 5725, 57646 - Possible port scan detected
This email was generated by: SonicOS Enhanced 6.5.3.1-48n (18B1-6993-2800)
04/18/2019 14:52:53 - 82 - Security Services - Alert - 151.101.5.140, 443, X2 - XXX.180, 36862, X2 - tcp - TCP scanned port list, 18568, 29110, 40462, 10585, 26896 - Possible port scan detected
This email was generated by: SonicOS Enhanced 6.5.3.1-48n (18B1-6993-2800)
答案1
我管理多个 SonicWall,这些警报在互联网上的任何 SonicWall 中都很常见。
通常,IDS 不会触发这些警报。
它们通常来自主动扫描任何活跃主机的僵尸网络。请记住,SonicWall 会向您报告此情况,但这只是警告,不会阻止任何内容。