Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


any provider using fortinet devices on there network?
New on LowEndTalk? Please Register and read our Community Rules.

any provider using fortinet devices on there network?

i recently got this from my vps provider:

Customer,

Your VPS server has been flagged by our monitoring system as a Security Attacks Emitter due to several and repetitive excessive intrusion attempts from your system's IP address to other networks. This is a security violation to our systems originated from your VPS IP address.

In order to evaluate continuity of your account, we require you to provide detailed explanation of your server's utilization/usage and proper justification.

Attack sampling log:

date=2016-06-19 time=09:20:43 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert severity=high srcip=192.171.18.X srccountry="Reserved" dstip=119.235.235.80 sessionid=5833375 action=detected proto=6 service="HTTPS" attack="OpenSSL.ChangeCipherSpec.Injection" srcport=52728 dstport=443 hostname=".line-apps.com
date=2016-06-19 time=09:15:15 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert severity=high srcip=192.171.18.X srccountry="Reserved" dstip=203.104.142.12 sessionid=5803229 action=detected proto=6 service="HTTPS" attack="OpenSSL.ChangeCipherSpec.Injection" srcport=52724 dstport=443 hostname="
.line-apps.com
date=2016-06-19 time=09:13:33 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert severity=high srcip=192.171.18.X srccountry="Reserved" dstip=17.141.5.105 sessionid=5794336 action=detected proto=6 service="HTTPS" attack="OpenSSL.ChangeCipherSpec.Injection" srcport=49371 dstport=443 hostname="gsas.apple.com
date=2016-06-19 time=09:01:31 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert severity=high srcip=192.171.18.X srccountry="Reserved" dstip=203.104.142.11 sessionid=5725841 action=detected proto=6 service="HTTPS" attack="OpenSSL.ChangeCipherSpec.Injection" srcport=52697 dstport=443 hostname=".line-apps.com
date=2016-06-19 time=08:50:29 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert severity=high srcip=192.171.18.X srccountry="Reserved" dstip=63.251.98.12 sessionid=5658510 action=detected proto=6 service="HTTPS" attack="OpenSSL.ChangeCipherSpec.Injection" srcport=52479 dstport=443 hostname="
.exelator.com
date=2016-06-19 time=08:50:29 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert severity=high srcip=192.171.18.X srccountry="Reserved" dstip=69.194.244.11 sessionid=5658494 action=detected proto=6 service="HTTPS" attack="OpenSSL.ChangeCipherSpec.Injection" srcport=52471 dstport=443 hostname=".turn.com
date=2016-06-19 time=08:42:09 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert severity=high srcip=192.171.18.X srccountry="Reserved" dstip=63.251.98.12 sessionid=5603674 action=detected proto=6 service="HTTPS" attack="OpenSSL.ChangeCipherSpec.Injection" srcport=52337 dstport=443 hostname="
.exelator.com
date=2016-06-19 time=08:40:06 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert severity=high srcip=192.171.18.X srccountry="Reserved" dstip=52.204.187.220 sessionid=5592315 action=detected proto=6 service="HTTPS" attack="OpenSSL.ChangeCipherSpec.Injection" srcport=52238 dstport=443 hostname="*.bidswitch.net

but the server is a private vpn server and i don't think it is compromised.

Comments

  • tommytommy Member

    you asking for ddos protection right?

    ask buyvm

    Let's bet which dot-name will collapse first ;)

  • NomadNomad Member

    With VPN, I always got a lot of false positives with Snort. They do seems to have a similar sistem going on and any unusual behaviour will get marked. Lol...

    ...
    ...

  • NyrNyr Member

    Your provider requesting an explanation for this is shitty to say at least and they look clueless. From the log you pasted, it's just normal traffic.

    @tommy said:
    you asking for ddos protection right?

    No.

  • i have contacted fortinet and they admit that " a certain level of false positive is unavoidable".

  • dfroedfroe Member, Provider

    Fortinet boxes can be pretty cool - but you have to know how to properly configure them.

    The mentioned IPS pattern is prone to false positives and thus the default action Fortinet suggests for this pattern is monitor (=log) and not block.

    cf. https://forum.fortinet.com/tm.aspx?m=130543

    it-df.net: IT-Service David Froehlich | Individual network and hosting solutions | AS39083 | RIPE LIR services (IPv4, IPv6, ASN)

  • However my provider insists it's an "attack" and force me to reinstall the server.

    @dfroe said:
    Fortinet boxes can be pretty cool - but you have to know how to properly configure them.

    The mentioned IPS pattern is prone to false positives and thus the default action Fortinet suggests for this pattern is monitor (=log) and not block.

    cf. https://forum.fortinet.com/tm.aspx?m=130543


  • dfroedfroe Member, Provider

    @maoyipeng said:
    However my provider insists it's an "attack" and force me to reinstall the server.

    Like mentioned before, Fortinet's recommended action for this particular IPS pattern is to log only and not to block; probably because there is a reason for it. Like mentioned in the forum post, there seems to be a certain rate of possible false positives for that pattern.

    Typically you (or in this case your provider) would do some further investigations on that incident to verify whether it had a real security impact or was just a false positive. If configured properly, FortiGates are able to automatically save a pcap file of the relevant packet when the IPS engine detects an attack. You could use that pcap file to prove that there was no real security incident caused by you.

    it-df.net: IT-Service David Froehlich | Individual network and hosting solutions | AS39083 | RIPE LIR services (IPv4, IPv6, ASN)

Sign In or Register to comment.