Understanding Networks Wk 9: Firewall

Assignment:
“Run Linux host for several days, with a firewall in place and a public IP address. Make a table of all the IP addresses that attempt to connect to your host. Found out where they are located? What organizations are the associated with? What service providers are providing their IP address?”

a.) Step 1: Using my Digital Ocean Linux Host, I installed and configured the ufw firewall. I enabled the TCP connections on the ports below. I did this by following this super helpful tutorial from the ITP Network Site.

screen-shot-2019-11-04-at-11.14.18-pm.png

—

b.) Step 2: I collected a table of all the IP addresses that tried to connect to my host for Nov. 2, Nov.3, and Nov. 4. I was planning to combine all 3 day’s worth of data into 1 set, but that was just too large and made it hard to manage in Excel.

I decided to just focus on the Nov. 4 data, which was more than enough data points to work with (5,640 unique hits). The below image shows a section of the full dataset.

screen-shot-2019-11-04-at-11.02.59-pm-e1572927798745.png

—

c.) Step 3: Using Excel I was able to find: total hits from all the sources, number of unique sources, top 10 most frequent src (including their ip addresses). The image below shows the results for this.

Screen Shot 2019-11-04 at 11.05.17 PM.png

Other Data (Nov 4):

Total Hits from All the Sources: 5,640
Number of Unique Sources: 1,111

—

d.) Step 4: Using ipinfo.io, I tried to find where each of these 10 ip addresses are coming from and the organizations they are associated with.

#1 hits: 185.156.73.52
- Moscow, RU
- OOO Patent-Media

screen-shot-2019-11-04-at-11.46.49-pm-e1572929309844.png

#2 hits: 185.176.27.254
- Moscow, RU
- Balkan Internet Exchange Ltd

185.176.27.254.png

#3 hits: 185.156.73.52
- Moscow, RU
- Balkan Internet Exchange Ltd

185.176.27.162.png

#4 hits: 80.82.64.73
- Amsterdam, NL
- Incrediserve.net

80.82.64.73.png

* Side note: Incrediserve.net is an IP Trading company! This is a dumb question, but do they mean ip addresses or ip as in intellectual property?

Screen Shot 2019-11-05 at 12.03.51 AM

#5 hits: 96.250.119.232
- New York City, NY
- MCI Communications Services, Inc. Verizon Business

96.250.119.232.png

—

e.) Step 5: Reflection.

UM, why is someone from Russia constantly hitting my IP address?! And so many time in 1 day! Is this maybe tied with the hacking of our elections? Tried to look into this a little and found this forum. Seems like some people on the forum say it is “normal” to get probes from many countries like Russia, China, Vietnam, etc. Basically, I shouldn’t let my biases get in the way, even though my top 3 places that hit me are from Russia.

—

Thank You:

So much gratitude to Rashida for answering my many questions about this!
Thank you for the straightforward guide to setting up the firewall and ip tables, Professor Tom! By initially trying to do this assignment without the guide, I have realized how confusing the process of setting up a firewall and configuring the ip tables could have been. The internet has so many resources, but not all structured so well!

—

Helpful Resources for Understanding UFW ( initially, I forgot about the itp tutorial above, so found some forums/helpful links online for trying to understand what to do) :

—

Lines to remember:

sudo dmesg | grep '\[UFW'
grep UFW /var/log/syslog
/var/log
sudo tail ufw.log

remember:
csp root@.....:/var/log/ufw.log .

Like this:

Related