BlueBear 2 Posted November 5 Posted November 5 Hi, We have 5 devices that are sitting on a mobile network using an integrated SIM card. The APN these devices use is provided by the network provider, so is public. Ever since connecting these 5 devices to the internet, we are receiving A LOT of scanning attempts. Within the 7 days, there's been 17,801 ESET Firewall alerts for 'Security vulnerability exploitation attempt' and 'TCP Port Scanning attack'. ESET is blocking the 1,386 unique IP connections via the 'EsetIpBlacklist.A. Although ESET is doing it's job well and appears to be blocking all these attempts, I just wanted some guidance on the best way of managing this using ESET. At the moment all these alerts are being sent to the ESET Protect console, which of course, over a year will increase the ESET DB size more than we want. We have run a test on a different providers private APN and these bad IP's no longer scan the devices. I am waiting for a private APN to be provided by the current provider. Is it anything to be concerned about with all this traffic, will it have any negative impact on modules, reporting, or the console after a year or so? Thanks Quote
Administrators Marcos 5,468 Posted November 5 Administrators Posted November 5 It is not clear if those devices must have all TCP/UDP ports open and accessible from the Internet. If not, you could create an IDS rule that will block the attack attempts but won't log them in the network protection log. Quote
BlueBear 2 Posted December 4 Author Posted December 4 Sorry for the delay. There's no explicit open inbound ports to the devices but we do have some local trusted groups for local IP's of attached peripherals. All connections are outbound and allowed back in. The 'target port' of these scans varies, the IP's are just scanning every single TCP port (mainly common known, 80, 443, 445, 21, 22, 23, 3389 etc..). Thanks for the suggestion. Is it possible to block the attempts, log for 1 week, and export the alerts to a CSV or similar (using a scheduled report). Whilst I can do the scheduled export, I do not know how to maintain 1 week of particular firewall alerts, and delete older, is it possible at all? I do not want the noise in the console but also want to know what is happening, even if it's exported out the console. The era DB is growing quite quickly. Thanks Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.