Firewall log is not complicated, but to understand it, you still need to understand some basic concepts (such as ports, protocols, etc.). ). Although each firewall log is different, it is recorded in a similar way, mainly including: time, acceptance or blocking, communication type, source IP address, source port, destination address, destination port, etc. This paper will take the log of Skynet firewall as an example to let everyone know how to analyze the log of firewall, and then find out the system vulnerabilities and possible attacks.
Skynet firewall will intercept all irregular packets and record them in the log. If you choose to monitor all TCP and UDP packets, every packet you send and receive will be recorded.
1 and 139 port attacks
The log shown in figure 1 shows that a computer in the local area network is trying to access your computer's port 139, but the operation failed.
Port 139 is the port used by NetBIOS protocol. When installing TCP/IP protocol, NetBIOS will also be installed in the system as the default setting. The opening of 139 port means that the hard disk may be shared in the network; Internet hackers can also know everything in your computer through NetBIOS!
Tip: "NetBIOS" is the input and output system of the network. Although TCP/IP protocol has become a widely used transport protocol, NetBEUI protocol provided by NetBIOS is still widely used in LAN.
Although under the monitoring of Skynet firewall, this hidden danger has not been exploited. But we can't be indifferent, and we must find ways to fill this loophole. NetBIOS is completely useless for networked machines and can be removed.
So how do you know the behavior of this source address? If it is a remote address, it may be caused by software scanning or virus. However, the address 1 92.168.30.15x in figure1is in the same LAN as this computer, and the computer user has not attacked it with software. After inspection, it was found that these computers were infected with "Nimda virus".
2, 80 port attack
In the Skynet firewall, suppose you receive a message that means: at 18? 29? At this time, a user with IP address of 61.128.89××××× tried to connect to your computer and scan whether your computer has opened port 80 (that is, the port to be opened by the Web service).
If you often receive TCP-like connection requests from external IP high ports (greater than 1024), you should be careful whether the other computer has been hit by a "red team" and tried to attack you (or it may be a man-made software attack). Since this virus only infects systems with IIS services, ordinary users need not worry.