Incoming traffic filter

I have a Dlink DIR-655 that is installed ahead of a video router for a cable
TV channel. I need to be able to telnet to it from only two outside IP
addresses, but I keep getting video router logs full of jackasses from
Russia, Turkey and many other places trying to hack into the video router
thinking it's a computer. It makes it very hard to pick out the log's
operational messages for the TV channel, and it makes the logs over a mb in
size every month.

I've tried to filter incoming IPs by denying whole class A ranges, but it's
like motorboating in a strainer - they pop up faster than I can bail. I
tried adding the two IPs I need as 'allowed' but that still leaves the whole
world as not 'denyed'. Does anyone know a solution to denying all IP
addresses and only allowing the two needed ones for access through the Dlink
router?

Harley wrote:
> I have a Dlink DIR-655 that is installed ahead of a video router for a cable
> TV channel. I need to be able to telnet to it from only two outside IP
> addresses, but I keep getting video router logs full of jackasses from
> Russia, Turkey and many other places trying to hack into the video router
> thinking it's a computer. It makes it very hard to pick out the log's
> operational messages for the TV channel, and it makes the logs over a mb in
> size every month.
>
> I've tried to filter incoming IPs by denying whole class A ranges, but it's
> like motorboating in a strainer - they pop up faster than I can bail. I
> tried adding the two IPs I need as 'allowed' but that still leaves the whole
> world as not 'denyed'. Does anyone know a solution to denying all IP
> addresses and only allowing the two needed ones for access through the Dlink
> router?
>
>
So can you do a block all then add two exceptions ?

I don't think so. I've been toying with the idea of deleting all the 'deny'
IP ranges and just putting a few 'allow' numbers in the inbound filter list
to see what would happen, but I think it would just open the floodgates to
all the jackasses in the world to keep hammering all night long on my log
files in a useless attempt to gain access to a device that isn't even a
computer.

Dlink hasn't been any help at all. I keep emailing back and forth to some
camel jockey that to this day hasn't even hit on what my problem is, let
alone how to fix it. Last email I had from them they changed the reply
address so the email bounced.

A friend of mine who is the IT Director for a major manufacturing company
tells me he's got a closet full of Cisco routers that were changed out with
the latest and greatest. They have the capability to 'deny all' and then
'allow' only certain IP number through the firewall. He says I can have one
for free. I'll probably go with that and give up on Dlink - permanently.


"atec7 7" <""atec77 \"@ hotmail.com"> wrote in message
news:hp0lva$orm$(E-Mail Removed)...
> Harley wrote:
>> I have a Dlink DIR-655 that is installed ahead of a video router for a
>> cable TV channel. I need to be able to telnet to it from only two outside
>> IP addresses, but I keep getting video router logs full of jackasses from
>> Russia, Turkey and many other places trying to hack into the video router
>> thinking it's a computer. It makes it very hard to pick out the log's
>> operational messages for the TV channel, and it makes the logs over a mb
>> in size every month.
>>
>> I've tried to filter incoming IPs by denying whole class A ranges, but
>> it's like motorboating in a strainer - they pop up faster than I can
>> bail. I tried adding the two IPs I need as 'allowed' but that still
>> leaves the whole world as not 'denyed'. Does anyone know a solution to
>> denying all IP addresses and only allowing the two needed ones for access
>> through the Dlink router?
>>
>>
> So can you do a block all then add two exceptions ?

On Sat, 17 Apr 2010 13:43:28 GMT, "Harley" <(E-Mail Removed)>
wrote:

>I don't think so. I've been toying with the idea of deleting all the 'deny'
>IP ranges and just putting a few 'allow' numbers in the inbound filter list
>to see what would happen, but I think it would just open the floodgates to
>all the jackasses in the world to keep hammering all night long on my log
>files in a useless attempt to gain access to a device that isn't even a
>computer.

Who cares about the jackasses who hammer all night long? If it weren't
for the log file, would you even notice? Just ignore it and move on
with your life.

>Dlink hasn't been any help at all. I keep emailing back and forth to some
>camel jockey that to this day hasn't even hit on what my problem is, let
>alone how to fix it. Last email I had from them they changed the reply
>address so the email bounced.
>
>A friend of mine who is the IT Director for a major manufacturing company
>tells me he's got a closet full of Cisco routers that were changed out with
>the latest and greatest. They have the capability to 'deny all' and then
>'allow' only certain IP number through the firewall. He says I can have one
>for free. I'll probably go with that and give up on Dlink - permanently.

Where do I sign up for a free Cisco router?

It's gets to be a physical storage problem when the log files grow by about
4mb per night. The video router where these files are generated is limited
in the size of the hard drive it uses to playback mpeg files. When the log
files take up too much space the video switcher/router freezes up and stop
working. So does the cable channel it operates.

As for the 'free router' you have to know someone in the IS dept. at an
international manufacturing company where they upgrade their equipment
periodically to keep jackasses from filling up their security log files with
bot-driven attemps to access servers that don't belong to them, and are none
of their business to access.

I've been researhing the James Bond documentary, "Goldeneye" in order to
find out what mechanism Boris used to 'spike dem.'


"Char Jackson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Sat, 17 Apr 2010 13:43:28 GMT, "Harley" <(E-Mail Removed)>
> wrote:
>
>>I don't think so. I've been toying with the idea of deleting all the
>>'deny'
>>IP ranges and just putting a few 'allow' numbers in the inbound filter
>>list
>>to see what would happen, but I think it would just open the floodgates to
>>all the jackasses in the world to keep hammering all night long on my log
>>files in a useless attempt to gain access to a device that isn't even a
>>computer.
>
> Who cares about the jackasses who hammer all night long? If it weren't
> for the log file, would you even notice? Just ignore it and move on
> with your life.
>
>>Dlink hasn't been any help at all. I keep emailing back and forth to some
>>camel jockey that to this day hasn't even hit on what my problem is, let
>>alone how to fix it. Last email I had from them they changed the reply
>>address so the email bounced.
>>
>>A friend of mine who is the IT Director for a major manufacturing company
>>tells me he's got a closet full of Cisco routers that were changed out
>>with
>>the latest and greatest. They have the capability to 'deny all' and then
>>'allow' only certain IP number through the firewall. He says I can have
>>one
>>for free. I'll probably go with that and give up on Dlink - permanently.
>
> Where do I sign up for a free Cisco router?
>

On 3/31/2010 7:37 AM, Harley wrote:
> I have a Dlink DIR-655 that is installed ahead of a video router for a cable
> TV channel. I need to be able to telnet to it from only two outside IP
> addresses, but I keep getting video router logs full of jackasses from
> Russia, Turkey and many other places trying to hack into the video router
> thinking it's a computer. It makes it very hard to pick out the log's
> operational messages for the TV channel, and it makes the logs over a mb in
> size every month.
>
> I've tried to filter incoming IPs by denying whole class A ranges, but it's
> like motorboating in a strainer - they pop up faster than I can bail. I
> tried adding the two IPs I need as 'allowed' but that still leaves the whole
> world as not 'denyed'. Does anyone know a solution to denying all IP
> addresses and only allowing the two needed ones for access through the Dlink
> router?
>
>
I've been scratching my head over this one, since you should be able to
control this!

I finally took a look at the manual for the DIR-655. Unfortunately, I
don't know what the video router is, so I don't know how much
configuration you might be able to do with that.

But, here are some thoughts -- that may, or may not help.

First, if you were able to modify the telnet port the video router
listens on, that would be a big plus!

You have port forwarding available to you in the DIR-655. I assume you
are using that to forward just the telnet port (port 23 I think) to the
video router. Most of the hacking I see here usually is on port 80 --
but there is some on telnet ports, also.

If you could get the video router to listen for telnet connects on some
other port, and just forward that port to it -- then you would have
things under control. Most telnet clients let you specify any port you
want. I use PuTTY, and I know it does.

With port forwarding in the DIR-655, you can specify an inbound filter
rule. Wouldn't this do exactly what you are looking for? I am seeing
"Each rule can either ALLOW or DENY access from the WAN.", followed by
"Up to eight ranges of WAN IP addresses can be controlled by each rule."

It would seem that setting up port forwarding for telnet, with a rule
for just your WAN IP addresses would do what you want.

As a side note, I run a seldom used web server here. The number of
hackers going after the port 80 were absurd. And my port 80 was being
used in DoS attacks on other machines, in a way it would never show in
logs. I changed the server to listen on a different port, and set up a
port translation in my DYNDNS account. People can still connect to my
with a standard URL, but any attempt to my IP address fails.

When you get things so you think they are working right, go to
http://grc.com and do a port scan on your system. That will tell you
what ports you might still have open that are visible to the hackers --
you want none. You want no visibility that you have a computer there!
No response to pings, or any normally used ports.

One router I had insisted on responding to one particular port --
something to do with identification. I ended up port forwarding that
post to a non-existent IP on my LAN. End of problem there!

By all means, keep us all posted on how you make out, and how you
finally solve the problem.

....Bob

On 4/18/2010 1:43 PM, Bob K wrote:
> You have port forwarding available to you in the DIR-655. I assume you
> are using that to forward just the telnet port (port 23 I think) to the
> video router. Most of the hacking I see here usually is on port 80 --
> but there is some on telnet ports, also.
>
> If you could get the video router to listen for telnet connects on some
> other port, and just forward that port to it -- then you would have
> things under control. Most telnet clients let you specify any port you
> want. I use PuTTY, and I know it does.
>
> With port forwarding in the DIR-655, you can specify an inbound filter
> rule. Wouldn't this do exactly what you are looking for? I am seeing
> "Each rule can either ALLOW or DENY access from the WAN.", followed by
> "Up to eight ranges of WAN IP addresses can be controlled by each rule."
>
> It would seem that setting up port forwarding for telnet, with a rule
> for just your WAN IP addresses would do what you want.

To add to my previous message. . .

The DIR-655 also will do port translation. That is covered under the
Virtual Server section of the manual.

That would allow you to telnet in to your DIR-655 on some port know only
to you (like 6000) and let the DIR-655 translate that to the port
(probably 23) that the video router is listening on.

Hackers attempting to use your port 23 could be sent to the never-never
land, and all they would ever get is deafening silence.

....Bob

On Sun, 18 Apr 2010 12:13:55 GMT, "Harley" <(E-Mail Removed)>
wrote:

>It's gets to be a physical storage problem when the log files grow by about
>4mb per night. The video router where these files are generated is limited
>in the size of the hard drive it uses to playback mpeg files. When the log
>files take up too much space the video switcher/router freezes up and stop
>working. So does the cable channel it operates.

There are so many options here, I barely know where to start. Generate
the logs somewhere else, rather than on the same hard drive with your
mpeg files. If they can't be generated elsewhere, (hard to believe),
periodically move them elsewhere with a script. Tail the logs. Scrub
the logs. The point I'm trying to make is if the logs are a problem,
deal with the logs. Don't attack the problem by upgrading the
hardware.

>As for the 'free router' you have to know someone in the IS dept. at an
>international manufacturing company where they upgrade their equipment
>periodically to keep jackasses from filling up their security log files with
>bot-driven attemps to access servers that don't belong to them, and are none
>of their business to access.

Frankly, I can't believe there are IS departments incompetent enough
to upgrade hardware to get around a logging issue. Congrats if you've
found one. I don't blame you for not sharing their name.

The port forwarding and/or translation is something I've been thinking about
trying. One restriction I face it that the video router (an MVP-2000) is not
configurable with it's log file locations, port assignments, etc. It has one
hard drive and everything goes in the same place. Trying to pick out video
switching events from tons of access attempts makes the logs
useless.Unfortunately the replacement technology for this device runs
somewhere over $8,000.

Another commentor had some negative comments about a large company that
upgrades it's routers to the latest and greatest technology. I suggest if
that person knew what kind of business they do, and how much of it, you
would reserve your unhelpful comments. Even the cast-off older tech routers
from this company will be massively more versatile than the consumer grade
stuff you get at Best Buy. I'm hoping I can get my mitts on one.

One of the limitations of the Dlink is that the inbound filter list fills up
quickly, only allowing 24 entries. The gross limitation of the DIR-655 is
that you can't 'deny all' and then 'allow' only the IP addresses you need. I
don't get why they don't have a checkbox for 'deny all' and then allow
according to inbound filtering rules. After all, that's what a firewall is
supposed to do!

Since the MVP-2000 only responds to the manufacturer's remote client
software, which only looks on port 21 for ftp and port 23 for telnet, I'm
unable to really do much with that. I can, however, manually change the
MVP's internal IP address and subnet. I have reduced the log file abuse by
filling up the inbound filter table, but even that doesn't work right. I've
got a tech support issue that Dlink is currently dealing with, where some of
the Class A IP ranges that are banned are still getting through the
firewall. I'd say that's a flaw in their product!

I'll be sure to post the results of both the tech support issue and if I'm
able to devise a workaround to the port 21/23 issue.

"Bob K" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On 4/18/2010 1:43 PM, Bob K wrote:
>> You have port forwarding available to you in the DIR-655. I assume you
>> are using that to forward just the telnet port (port 23 I think) to the
>> video router. Most of the hacking I see here usually is on port 80 --
>> but there is some on telnet ports, also.
>>
>> If you could get the video router to listen for telnet connects on some
>> other port, and just forward that port to it -- then you would have
>> things under control. Most telnet clients let you specify any port you
>> want. I use PuTTY, and I know it does.
>>
>> With port forwarding in the DIR-655, you can specify an inbound filter
>> rule. Wouldn't this do exactly what you are looking for? I am seeing
>> "Each rule can either ALLOW or DENY access from the WAN.", followed by
>> "Up to eight ranges of WAN IP addresses can be controlled by each rule."
>>
>> It would seem that setting up port forwarding for telnet, with a rule
>> for just your WAN IP addresses would do what you want.
>
> To add to my previous message. . .
>
> The DIR-655 also will do port translation. That is covered under the
> Virtual Server section of the manual.
>
> That would allow you to telnet in to your DIR-655 on some port know only
> to you (like 6000) and let the DIR-655 translate that to the port
> (probably 23) that the video router is listening on.
>
> Hackers attempting to use your port 23 could be sent to the never-never
> land, and all they would ever get is deafening silence.
>
> ...Bob

OK, Harley. . .

Let me do some guessing on how I would try. This may not work out --
the documentation I am looking at may not be accurate for the hardware
you have (boy, that happens a lot!), but on the other side of the coin,
you have the hardware so you can experiment with it!

Page 34 covers the port forwarding setup. You can specify either a
port, or range of ports (or apparently a list). I would try 21, 23 and
see if that gets accepted. If not, either 21-23, or make two entries --
one for 21 and one for 23.

I am guessing that the remote addresses you need to allow are for the
manufacturer's remote client (not your application), so the port
translation isn't going to help. You can't get them to play those games
just for you!

With the port forwarding, you can name a filter to use. I think (again,
maybe wrong!) that if you set up a filter listing the two IP addresses
that are OK, and specify ALLOW for those (I'm looking at page 42), that
only traffic from those IP addresses should port forward to the MVP-2000.

I don't know if you have any other things running that would require you
to additionally do any other port forwarding. I'm going to assume not.

One question I have, how is the inbound traffic (mostly from hackers)
finding it's way to the MVP-2000 now? You must have something set up to
direct inbound traffic to the video router. Normally connect requests
coming in to a router get dropped unless it is told what to do with them.

If the MVP-2000 is the end that originates the traffic, then maybe you
don't need to do any inbound port forwarding. That is another ball
game! Just like when your computer connects to web site, the replies
come back to your computer.

From what I have seen, your Dlink router has plenty of capability --
assuming things work like the book says. Unfortunately, that isn't
always the case :-(

....Bob



On 4/19/2010 12:21 PM, Harley wrote:
> The port forwarding and/or translation is something I've been thinking about
> trying. One restriction I face it that the video router (an MVP-2000) is not
> configurable with it's log file locations, port assignments, etc. It has one
> hard drive and everything goes in the same place. Trying to pick out video
> switching events from tons of access attempts makes the logs
> useless.Unfortunately the replacement technology for this device runs
> somewhere over $8,000.
>
> Another commentor had some negative comments about a large company that
> upgrades it's routers to the latest and greatest technology. I suggest if
> that person knew what kind of business they do, and how much of it, you
> would reserve your unhelpful comments. Even the cast-off older tech routers
> from this company will be massively more versatile than the consumer grade
> stuff you get at Best Buy. I'm hoping I can get my mitts on one.
>
> One of the limitations of the Dlink is that the inbound filter list fills up
> quickly, only allowing 24 entries. The gross limitation of the DIR-655 is
> that you can't 'deny all' and then 'allow' only the IP addresses you need. I
> don't get why they don't have a checkbox for 'deny all' and then allow
> according to inbound filtering rules. After all, that's what a firewall is
> supposed to do!
>
> Since the MVP-2000 only responds to the manufacturer's remote client
> software, which only looks on port 21 for ftp and port 23 for telnet, I'm
> unable to really do much with that. I can, however, manually change the
> MVP's internal IP address and subnet. I have reduced the log file abuse by
> filling up the inbound filter table, but even that doesn't work right. I've
> got a tech support issue that Dlink is currently dealing with, where some of
> the Class A IP ranges that are banned are still getting through the
> firewall. I'd say that's a flaw in their product!
>
> I'll be sure to post the results of both the tech support issue and if I'm
> able to devise a workaround to the port 21/23 issue.
>
> "Bob K"<(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> On 4/18/2010 1:43 PM, Bob K wrote:
>>> You have port forwarding available to you in the DIR-655. I assume you
>>> are using that to forward just the telnet port (port 23 I think) to the
>>> video router. Most of the hacking I see here usually is on port 80 --
>>> but there is some on telnet ports, also.
>>>
>>> If you could get the video router to listen for telnet connects on some
>>> other port, and just forward that port to it -- then you would have
>>> things under control. Most telnet clients let you specify any port you
>>> want. I use PuTTY, and I know it does.
>>>
>>> With port forwarding in the DIR-655, you can specify an inbound filter
>>> rule. Wouldn't this do exactly what you are looking for? I am seeing
>>> "Each rule can either ALLOW or DENY access from the WAN.", followed by
>>> "Up to eight ranges of WAN IP addresses can be controlled by each rule."
>>>
>>> It would seem that setting up port forwarding for telnet, with a rule
>>> for just your WAN IP addresses would do what you want.
>>
>> To add to my previous message. . .
>>
>> The DIR-655 also will do port translation. That is covered under the
>> Virtual Server section of the manual.
>>
>> That would allow you to telnet in to your DIR-655 on some port know only
>> to you (like 6000) and let the DIR-655 translate that to the port
>> (probably 23) that the video router is listening on.
>>
>> Hackers attempting to use your port 23 could be sent to the never-never
>> land, and all they would ever get is deafening silence.
>>
>> ...Bob
>
>