Security Alarm Intrusion

KH6XX

I operate remotely and have UPnP activated on my router. The past few days I have begun receiving the following message: " Nmap Scriting Engine - TLS Handshake was blocked. No action is required the intrusion attempt was blocked. This feature detects abnormal behaviors and blocks attempted connections. Review the details for more information. Source IP 167.172.99.9, Client Device Flex TGXL1, Action BLOCK". I do port forwarding to be able to access the TGXL.

Received the same message multiple times but with IP address of 118.194.250.22

How concerned should I be? Should I deactivate UPnP? How far into my LAN have they accessed? How can this be stopped?

Randy KH6XX

Mike-VA3MW

The TGXL does not do uPNP rules, so that was not generated by the radio.

Did you do a manual port forward for remote operation of your TGXL?

KH6XX

Yes, I am doing a manual port forward for the TGXL. These notifications are coming from my ISP, not from the Flex equipment.

I also am getting a security alarm "Nmap Scripting Engine - Service Escape Character Probe was blocked". The IP address was that of my local PC and client device on the alarm indicated the name of that PC. The action indicated BLOCK. My ISP is using "ProtectIQ". There are two Intrusion settings available that are not enabled now. One is IPS Protocol Anomaly and the other is IPS Port-Scan Defense. Should these be enabled?

Mike-VA3MW

yep, I understand that part.

We have no experience with those products, what they do and how they work.

Others may be able to offer an opinion. Sorry

KH6XX

This "Nmap Scripting Engine TLS Handshake was blocked" appears to only be happening on the TGXL and none of the other Flex devices being accessed remotely.