Access Violation

[avilT]

I am running Checkoint NGFP3 pn Nokia IP 350.
I am getting the below log on syslog server, what is the meaning of this log? Is someone trying to get access of the firewall? How can I trace the source IP?
-------------------------------------------------------------------------
Feb 9 09:28:39 FW02 [LOG_ERR] PAM_unix[542]: bad username [*** W A ]
Feb 9 09:28:39 FW02 [LOG_ERR] PAM_unix[542]: bad username [ |]
Feb 9 09:28:39 FW02 [LOG_ERR] PAM_unix[542]: bad username [| ]
Feb 9 09:28:39 FW02 [LOG_ERR] PAM_unix[542]: bad username [| This ]
Feb 9 09:28:44 FW02 [LOG_ERR] PAM_unix[542]: bad username [| to au]
Feb 9 09:28:54 FW02 [LOG_ERR] PAM_unix[542]: bad username [| attem]
Feb 9 09:29:09 FW02 [LOG_ERR] PAM_unix[542]: bad username [| respo]
Feb 9 09:29:29 FW02 [LOG_ERR] PAM_unix[542]: bad username [| If yo]
Feb 9 09:29:54 FW02 [LOG_ERR] PAM_unix[542]: bad username [| ]
Feb 9 09:30:24 FW02 [LOG_ERR] PAM_unix[542]: bad username [+-------]
Feb 9 09:30:24 FW02 [LOG_NOTICE] PAM_unix[542]: 1 LOGIN FAILURE ON ttyd0
Feb 9 09:30:24 FW02 [LOG_NOTICE] PAM_unix[542]: 1 LOGIN FAILURE ON ttyd0, +-------
Feb 9 09:30:29 FW02 [LOG_ERR] PAM_unix[10347]: bad username [$G^G^G^G]
Feb 9 09:31:02 FW02 [LOG_ALERT] PAM_unix[10347]: check pass; user unknown
Feb 9 09:31:02 FW02 [LOG_NOTICE] PAM_unix[10347]: authentication failure; root(uid=0) -> G^G^G^G^ for login service
Feb 9 09:31:04 FW02 [LOG_ERR] PAM_unix[10347]: auth_pam: Authentication service cannot retrieve authentication info.
Feb 9 09:31:15 FW02 [LOG_ALERT] PAM_unix[10347]: check pass; user unknown
Feb 9 09:31:15 FW02 [LOG_NOTICE] PAM_unix[10347]: authentication failure; root(uid=0) -> n failed for login service
Feb 9 09:31:16 FW02 [LOG_ERR] PAM_unix[10347]: auth_pam: Authentication service cannot retrieve authentication info.
Feb 9 09:31:18 FW02 [LOG_ALERT] PAM_unix[10347]: check pass; user unknown
Feb 9 09:31:18 FW02 [LOG_NOTICE] PAM_unix[10347]: authentication failure; root(uid=0) -> Verifica for login service
Feb 9 09:31:20 FW02 [LOG_ERR] PAM_unix[10347]: auth_pam: Authentication service cannot retrieve authentication info.
Feb 9 09:31:33 FW02 [LOG_ALERT] PAM_unix[10347]: check pass; user unknown
Feb 9 09:31:33 FW02 [LOG_NOTICE] PAM_unix[10347]: authentication failure; root(uid=0) -> n failed for login service
Feb 9 09:31:35 FW02 [LOG_ERR] PAM_unix[10347]: auth_pam: Authentication service cannot retrieve authentication info.
Feb 9 09:31:46 FW02 [LOG_ERR] PAM_unix[10347]: bad username [ failed.]

[RayPesek]

Access to the firewall itself should be limited by a rule so only the IP addresses of the administrators can access it to login. Logging on that rule would tell you who it is.

From the first lines of the text it looks almost like a script or someone messing with you.

Ray

[chuachongchee]

Hmm... are you opening up SSH to the outside??

You should stealth your firewall frm Internet man... i once saw this too.. continously for 5 days... on the 5th day... my firewall couldn't take it no more and hanged... haha...

[avilT]

Yes, I do have the stealth rule with logging. Apart from that I have access lists on the internet routers as well. I donot see any TCP connections from outside to the firewall even though there are some UDP connection attempts to the firewall which are passing thru router ACL's and reaching the firewall.

[chuachongchee]

Quote:

Originally Posted by avilT

Yes, I do have the stealth rule and ssh is now allowed as I have access lists on the internet routers as well. Why the source IP is not logged?

Not too sure... i once encounter on R62 UTM-1, allowing checkpoint management connections opens up the ssh too!!...

Did you log the stealth rule?? Ensure the rules are right on top, but below your vpn rules, mgmt rules etc...

Are the other logging for the other rules working?? If so, i would think that stealth rule is not logged...

Try to ssh into your firewall... then do "fw ctl zdebug drop" then try run a ssh from internet see if its logged, you can oso do the same with tcpdump or fw monitor...

[eduardw]

For good workings of the stealth rule make sure the the topology of your firewall object is correct.

Eduard