port probing

Posted on
Wed Dec 30, 2020 8:21 pm
kw123 offline
User avatar
Posts: 8335
Joined: May 12, 2013
Location: Dallas, TX

port probing

I got this in my indigo log:

Code: Select all
Dec 30, 2020 at 19:01:15
   Error                           XML Parse Error: not well-formed (invalid token)
   Error                           On character 0 of line number 1.
   Client authentication failed - bad XML received (185.156.72.7)
   Client disconnected (185.156.72.7)
   Error                           XML Parse Error: not well-formed (invalid token)
   Error                           On character 0 of line number 1.
   Error                           XML Parse Error: syntax error
   Error                           On character 0 of line number 1.
   Error                           XML Parse Error: not well-formed (invalid token)
   Error                           On character 0 of line number 1.
   Error                           XML Parse Error: not well-formed (invalid token)
   Error                           On character 0 of line number 1.
   Error                           XML Parse Error: not well-formed (invalid token)
   Error                           On character 0 of line number 1.


You can stop lot of probing on your router: the Unifi controllers have this nice feature:
Screen Shot 2020-12-30 at 20.07.50.png
Screen Shot 2020-12-30 at 20.07.50.png (234.46 KiB) Viewed 1481 times


You can block any ip from certain countries (up to 15 countries): under routing&firewall / geo ip filtering one country after the other, or in thread management click on the countries in the map
-- besides blocking individual IP#s or ranges in routing-firewall/firewall/rules and groups

Karl

and thanks to Matt for pointing me into the right direction.

Posted on
Wed Dec 30, 2020 9:12 pm
Korey offline
User avatar
Posts: 811
Joined: Jun 04, 2008
Location: Henderson, NV

Re: port probing

Now all you need to do is have your plugin sense that and and blacklist / block the IP! :wink:

--
Korey

Posted on
Fri Jan 01, 2021 9:45 am
DaveL17 offline
User avatar
Posts: 6744
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: port probing

I've been getting more of these port probe messages of late, too (as recent as yesterday). I've checked, and I got a series of messages (from the same IP) at almost the same time as Karl leading me to believe that the offender is sniffing the reflector and not me personally.

On the UniFi front, I can't do the geo-filtering as it requires the hardware offloading that's disabled by Threat Management (not sure why, but it's an either-or). I'm a bit disappointed that there's not an easy way to blacklist a single IP in the firewall. Blocking a whole country seems a bit like swatting a fly with a shotgun, and it seems like a blacklist wouldn't require too much from a resources perspective.

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 5 guests

cron