Network security advice,please?

[biob]

Hi guys and girls

im getting increasingly worried about the web facing side of my network😔 I’ve recently seen getting port scanned by a device which shouldn’t that shouldn’t be there( only one device should be there). I’m double NAT’d with ISP router and my own.

Ive recently bought a edgerouter, but worried about configuring the firewall wrong. Can someone please advise? I want to keep my family safe.

[digininja]

Give us more information. What do you mean by a device that shouldn't be there? Where is it and how do you know it is scanning you?

When you say web facing, do you mean internet facing?

[biob]

Hi digininja,

sorry yes I meant internet facing.

The first router(ISP device, WiFi is disabled)in the chain only has one client connected(my router, WiFi enabled and internal devices connect to this). Example let say my router was 10.4.4.2 and the isp router is the gateway(10.4.4.1). My router was being port scanned on 10.4.4.77, this showed up in my routers logs(IP scheme is for demonstration purposes)

I’ve also seen a couple of port scans on my router from external IP’s and when I investigated my isp router had been reset to factory default(This concerned me).

 

[biob]

I should mention when I saw it in the logs I pinged it and done a basic port scan on my phone. It was still there and port 53 was open on it. Started up my laptop and the used nmap and  device stopped responding. Tried on my phone again and it wasn’t there anymore.

[biob]

I think the scan on my phone is giving a false positive.... can scan other IP’s in that range and I’m getting same results 🤔

[biob]

One example of log

DoS attack:FIN Scan (1) attack packets from 216.58.204.34

internal one was:

DoS attack:ACK Scan (1) attack packets from 10.4.4.77

[digininja]

Don't worry about the external stuff, any box on the internet is getting hit like that all the time.

For the internal, I assume the ISP modem is plugged directly into your firewall box with a cable and that there is nothing else connected between them, all the rest of the boxes are on the other side of your internal box.

Are you using a different subnet for the internal network? i.e. not 10.4.4.0/24? Where are you seeing the alerts? Is it on your router or on another box? What is the router? Is it something you can trust to give good information or a cheap box that may just have bugs and be mis-representing the information?

[biob]

Have ISP box in router mode(first layer of NAT) connected to second router(internal network, different subnet). RJ45 connection between both router with nothing in between.

My router is a Netgear nighthawk and not a lot of control options. SPI is turned on ,on both router and I’ve also setup to block ports that have no reason to leave my network.

im seeing the alerts on the nighthawk logs.

                           Internet

ISP router/modem(NAT)(first subnet)

My router(NAT)(2nd subnet, nighthawk)

                          My network

[digininja]

To hit that IP address, have you tried plugging in on the modem to nighthawk connection?

[Bigbiz]

Maybe you have a 5gz isp router/modem but your devices arent picking it up because they dont support 5gz network?

[digininja]

He said he had turned WiFi off on the ISP device. Anything on his device should be getting an IP from the client side which wouldn't be on that subnet.

[biob]

I’ve stuck a Packet squirrel in between isp router and mine. Turned all my clients off, so I can see what was going through last night. But have nothing in router logs for last night 🤔