Firewall Activity

Jimbowe · ‎30-04-2019

Is someone trying to hack me here, or is this PlusNet Maintenance Login attempts, if the latter, wouldn't it be a TR069 connection ? . Am waiting to fit my Draytek back in, but the PN1 is in while my line speed is sorted, the DT hardly had any firewall activity in the logs ?. Used to see a lot of Spoofing Protection as well, 2 every minute, has anyone else experienced this ?

Thanks.

IN: BLOCK [16] Remote administration (TCP [49.77.0.198]:38576->[146.200.141.101]:22 on ppp3)
20:57:46, 22 May.
IN: BLOCK [16] Remote administration (TCP [52.67.148.139]:38200->[146.200.141.101]:8080 on ppp3)
20:56:51, 22 May.
IN: BLOCK [16] Remote administration (TCP [81.22.45.106]:49122->[146.200.141.101]:8080 on ppp3)
20:49:05, 22 May.
IN: BLOCK [16] Remote administration (TCP [194.55.187.2]:49744->[146.200.141.101]:80 on ppp3)
20:47:29, 22 May.
IN: BLOCK [16] Remote administration (TCP [212.170.162.32]:34765->[146.200.141.101]:8080 on ppp3)
20:20:10, 22 May.
IN: BLOCK [16] Remote administration (UDP [196.52.43.58]:50674->[146.200.141.101]:161 on ppp3)
20:16:57, 22 May.
IN: BLOCK [16] Remote administration (TCP [92.118.37.91]:36806->[146.200.141.101]:443 on ppp3)

Strat · ‎14-04-2007

Moderators Note
This topic has been moved from Fibre Broadband to My Router.

Windows 10 Firefox 109.0 (64-bit)
To argue with someone who has renounced the use of reason is like administering medicine to the dead - Thomas Paine

Optimatts · ‎25-09-2018

Hi there @Jimbowe

These types of logs are nothing to worry about. In fact it's actually a reassurance.

These logs are essentially your network firewall doing its job and rejecting anything it doesn't like.

It is often called 'Internet background radiation'. The term reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations).

Basically there's always things bumping into your network. If its unwanted, your firewall will reject it. This is then collected in logs like the ones you've shown.

I hope this information helps.

DS · ‎06-01-2017

Just to mirror what Matt has written....

Those events are the routers firewall doing it's job.

For example, the

IN: BLOCK [16] Remote administration (TCP [49.77.0.198]:38576->[146.200.141.101]:22 on ppp3)

is an IP, in this case 49.77.0.198 on port 38576 tried to access your routers IP 146.22.xxx.xxx on port 22, but the router blocked it.

If you want to know, it is located in China and the coordinates for that device is 32°03'43.2"N 118°46'40.8"E

From the testing I did, the Spoofing Protection occurs when the router sees a wired device that then moves to wifi. This can happen when you jump from another wireless AP on your network to the routers wifi too (I run a secondary router and as this connects to my primary via ethernet, the primary thinks devices on that other router are wired when they are indeed wifi only).

Jimbowe · ‎30-04-2019

Thanks Matt / DS
Learning all the time !

DS · ‎06-01-2017

No problem Jimbowe

Whilst you continue to use a PNH1 (or a BT router for that matter), believe me, the learning never actually stops!!

(pointless info, but the PNH1 is actually a BT home hub 5, it just wears a different coloured coat running the PN variant of software)

I did notice that the latest software (ending 263), which having looked at your other thread, your router is running it, does show more events in the event log, which actually isn't a bad thing once you get used to what they all mean

Firewall Activity

Firewall Activity

Re: Firewall Activity

Re: Firewall Activity

Re: Firewall Activity

Re: Firewall Activity

Re: Firewall Activity