Hi All
I have used ClearOS for some time but have not dug into it too much in some time so sorry if this is a daft question but couldn't find the answer - maybe asked wrong question
I have just moved to a new ISP and the new router logs attempts to access it externally that the firewall has rejected. Surprisingly there are quite number of hacking attempts.
It got me thinking.... I have the ISPs router on one subnet and then ClearOS on a dual NIC PC acting as a router between that subnet and the internal subnet where all the devices are.. I think this is called bridge mode in ClearOS?
Anyway. I wanted to check the ClearOS logs to see if anything has got through either of the old or new ISP routers and hit the ClearOS box. Also whether they were blocked (hopefully) or let through
. I have not opened any ports externally (that I am aware of at least).
Any idea how I find this out?
Thanks in advance for your help
Lee.
I have used ClearOS for some time but have not dug into it too much in some time so sorry if this is a daft question but couldn't find the answer - maybe asked wrong question
I have just moved to a new ISP and the new router logs attempts to access it externally that the firewall has rejected. Surprisingly there are quite number of hacking attempts.
It got me thinking.... I have the ISPs router on one subnet and then ClearOS on a dual NIC PC acting as a router between that subnet and the internal subnet where all the devices are.. I think this is called bridge mode in ClearOS?
Anyway. I wanted to check the ClearOS logs to see if anything has got through either of the old or new ISP routers and hit the ClearOS box. Also whether they were blocked (hopefully) or let through
. I have not opened any ports externally (that I am aware of at least). Any idea how I find this out?
Thanks in advance for your help
Lee.
Share this post:
Responses (2)
-
Accepted Answer
Thanks @Nick for your reply. I guess my logic was that there may be a vulnerability or some dodgy config in the router whereby a hacker could bypass the router's firewall. This would give them access to my outward facing subnet (which only has the ISP router and ClearOS NIC 1 on it). Assuming they got that far, the next step would be to try and get through the ClearOS firewall. So.... if I could see any hacking attempts on the ClearOS firewall, I could deduce that the ISP router had an issue but was thankfully caught by ClearOS which "saved the day"
Also, I have Antiphishing and Antivirus turned on so was keen to see if they have ever caught anything.
I guess in general seeing the firewall logs on my ISP router blocking hacking attempts gave me a "warm" feeling that it is actually working so wanted to see if ClearOS is actually catching anything or maybe I should remove ClearOS and just use the ISP Router. I only really use it for DHCP, DNS and then as an extra safety layer (hence my questions to validate it is necessary)
thanks again
Lee. -
Accepted Answer
I am afraid it is not particularly surprising. There are bots continually probing ssh, httpd/apache and smtp and others (I think SIP really suffers as well). It is situation normal.
If ClearOS is set up with a different internal and external IP on different subnets then it is in routed mode and not bridge mode. The bridge mode is not common in ClearOS and is not available through the webconfig.
If you want to look at logins, have a look in /var/log/secure. If you have not opened any external ports, you may still have port 81 open as it is opened by default. Look at the incoming firewall. If you just access ClearOS through its LAN port, you can remove this rule.
If you have not forwarded any ports from your router to then noting from the outside will be attacking ClearOS.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »