AiProtection - is it possible to track the internal IP address?

[Martin - SNBuser]

Hi,

I just upgraded firmware, reinstalled entware, enabled AiProtection - and I suddenly receive a LOT of "Alert type : Vulnerability Protection"-emails - maybe 15-20 per day. It is too much. The email contains the source IP (which I ran whois on and I can see there's a lot of "DigitalOcean, LLC"-IP-addresses) and destination IP is the WAN-side of my router...

Now, I'm curious to know - is there an easy way to know which of my devices behind NAT-routing, that is responsible for all these connections to DigitalOcean-servers? I'm a bit tired of all these "RT-AC87U's AiProtection detected suspicious networking behavior and prevented your device making a connection to a malicious website (see above and the attached log for details)", besides I'm curious to know if this is a legit connection - or something I should block with IPtables. I have several IOT-devices: chromecast, netatmo, lifx-lights and I suspect maybe one of these devices is the culprit - but I dont know how I can investigate this as I imagine the same second AiProtection sees an attempt to e.g. IP-address 159.65.179.135, it would be blocked...

At least I tried:

netstat | grep -i 159.65.179.135

But it shows nothing... This IP address has been blocked around 7 times, in the past 8 hours. So approximately 1 attempt or AiProtection-email every hour. But then the IP address changes, so I guess this device has a list of several IP addresses to DigitalOcean, it could try...

Any ideas you could share with me? I would be happy to learn
I also just installed snort (2.9.11.1-5) on the router, but I have no experience in using this - I would be happy if this can be used to e.g. trace a device on my LAN doing something like this (and I think it can, but I haven't learned how yet)...

 

[kfp]

Seems like that IP is blocked by a lot of blocklists under the category “Scanners”.

Edit: Also included in MIRAI botnet related blocklists

 

[Martin - SNBuser]

Seems like that IP is blocked by a lot of blocklists under the category “Scanners”.

I also had AiProtection in the previous firmware version - I didn't receive these emails (and I didn't remove/add devices). Then I just updated firmware, re-enabled AiProtection and now I receive a lot of these warnings. So I'm very interested in learning how I can "track" which of my devices are sending these queries out through the NAT-firewall in the router... It could also be a mobile phone, maybe a slightly old Android-phone... I would be grateful to learn how to track this device!

 

[kfp]

I also had AiProtection in the previous firmware version - then just updated and now receive a lot of these warnings. So I'm very interested in learning how I can "track" which of my devices are sending these queries out through the NAT-firewall in the router... It could also be a mobile phone, maybe a slightly old Android-phone... I would be grateful to learn how to track this device!

I don’t think it’s anything in your network. If it were the src and dst would be reversed.

I think you never updated the signature and with the firmware upgrade all of a sudden you have a newer signature than before hence getting all the alerts.

Now some general ways to track this down would be DNS logs, iptables logs, tcpdump etc.

 

[Martin - SNBuser]

I don’t think it’s anything in your network. If it were the src and dst would be reversed.

I think you never updated the signature and with the firmware upgrade all of a sudden you have a newer signature than before hence getting all the alerts.

Now some general ways to track this down would be DNS logs, iptables logs, tcpdump etc.

Oh, I discovered something interesting now, as I didn't understood "the src and dst would be reversed" + "never upgraded the signature". About "the src and dst": The src is the 159.65.179.135 and dst is the WAN-side-IP of my router. I'm guessing that maybe AiProtection allows any traffic to outside, but then reacts to IP addresses trying to NAT-connect back to a device in my LAN-network... I don't understand how src and dst should be reversed, I think AiProtection only works one-way?

Anyway, about upgrading signatures: You're right, I never upgraded them, I haven't seen a place to upgrade these AiProtection-signatures, I'm guessing they became upgraded together with the firmware? In any case, because you wrote this, I again went into the Web-UI menus and this time I looked closer into
AiProtection/DNS-filtering/Two-Way IPS - and there it says (below "security events"): 63 hits since June 23rd 2018, and it all comes from the MAC-address: 34:6a:c2:3f:22:68.

Then I tried to 'cat /var/lib/misc/dnsmasq.leases |grep -i "34:6a"' as I thought this MAC address would be here. But it wasn't. I looked up the device from https://macvendors.com/ - it says it's a "HUAWEI TECHNOLOGIES CO.,LTD"-device. I wondered why I couldn't see it on my 192.168.1.0/24 -lan, googled a bit and found out I instead should run "arp -na" on the router and this reveals that this device is definately not a device I connected... "arp -na" returns maybe around 15 x 192.168.something-addresses + one 169.254.xxx.xxx-address + one 83.88.xx.1-address. And this device that is causing all these emails seems to be the device with IP 83.88.xx.1. Now, when I lookup my external IP it is actually 83.88.xx.191 - so what is this? Is 83.88.xx.1 a router located at my ISP? I then nmap'ed this IP to learn more:

# nmap -Pn -F 83.88.xx.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 22:24 CEST
Nmap scan report for vlanif12.YYYYYYYY.dk.ip.tdc.net (83.88.xx.1)
Host is up.
All 100 scanned ports on vlanif12.YYYYYYY.dk.ip.tdc.net (83.88.xx.1) are filtered

Nmap done: 1 IP address (1 host up) scanned in 21.14 seconds

And dk.ip.tdc.net actually sounds like my ISP. So does this mean that my Asus router is warning me with NUMEROUS emails about something acting on a router, located at my ISP's location? I don't think this device is mine........ By the way, thanks a lot for hints about DNS logs (never worked with them, I think I use my ISP's DNS-servers), iptables logs (I've done that a bit, I'm not too familiar with it yet) and tcpdump (I guess I could let it run for approx 1 hour to capture those apparantly "offending" packets - but now I discovered things much quicker with the webUI)... Looking forward to hear what you think about the cause of my many AiProtection-emails for this Huawei-device, I'm not sure I know what is the conclusion from here or why AiProtection warns me so much, with all these emails for this Huawei-device?

 

[ColinTaylor]

The MAC address will be that of the device connected to your router's WAN port, typically a cable modem or gateway, because that is the direction the attack is coming from. So you can see that is completely useless information because the MAC address will always be the same.

 

[kfp]

Oh, I discovered something interesting now, as I didn't understood "the src and dst would be reversed" + "never upgraded the signature". About "the src and dst": The src is the 159.65.179.135 and dst is the WAN-side-IP of my router. I'm guessing that maybe AiProtection allows any traffic to outside, but then reacts to IP addresses trying to NAT-connect back to a device in my LAN-network... I don't understand how src and dst should be reversed, I think AiProtection only works one-way?

Anyway, about upgrading signatures: You're right, I never upgraded them, I haven't seen a place to upgrade these AiProtection-signatures, I'm guessing they became upgraded together with the firmware? In any case, because you wrote this, I again went into the Web-UI menus and this time I looked closer into
AiProtection/DNS-filtering/Two-Way IPS - and there it says (below "security events"): 63 hits since June 23rd 2018, and it all comes from the MAC-address: 34:6a:c2:3f:22:68.

Then I tried to 'cat /var/lib/misc/dnsmasq.leases |grep -i "34:6a"' as I thought this MAC address would be here. But it wasn't. I looked up the device from https://macvendors.com/ - it says it's a "HUAWEI TECHNOLOGIES CO.,LTD"-device. I wondered why I couldn't see it on my 192.168.1.0/24 -lan, googled a bit and found out I instead should run "arp -na" on the router and this reveals that this device is definately not a device I connected... "arp -na" returns maybe around 15 x 192.168.something-addresses + one 169.254.xxx.xxx-address + one 83.88.xx.1-address. And this device that is causing all these emails seems to be the device with IP 83.88.xx.1. Now, when I lookup my external IP it is actually 83.88.xx.191 - so what is this? Is 83.88.xx.1 a router located at my ISP? I then nmap'ed this IP to learn more:

# nmap -Pn -F 83.88.xx.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 22:24 CEST
Nmap scan report for vlanif12.YYYYYYYY.dk.ip.tdc.net (83.88.xx.1)
Host is up.
All 100 scanned ports on vlanif12.YYYYYYY.dk.ip.tdc.net (83.88.xx.1) are filtered

Nmap done: 1 IP address (1 host up) scanned in 21.14 seconds

And dk.ip.tdc.net actually sounds like my ISP. So does this mean that my Asus router is warning me with NUMEROUS emails about something acting on a router, located at my ISP's location? I don't think this device is mine........ By the way, thanks a lot for hints about DNS logs (never worked with them, I think I use my ISP's DNS-servers), iptables logs (I've done that a bit, I'm not too familiar with it yet) and tcpdump (I guess I could let it run for approx 1 hour to capture those apparantly "offending" packets - but now I discovered things much quicker with the webUI)... Looking forward to hear what you think about the cause of my many AiProtection-emails for this Huawei-device, I'm not sure I know what is the conclusion from here or why AiProtection warns me so much, with all these emails for this Huawei-device?

I don’t have the time right now to give you a more detailed answer for your other questions, but briefly to put you at ease, 83.88.x.1 is the first hop (this is the Huaiwei device) out from your router (83.88.x.191). All traffic coming from WAN would bear the MAC of that hop your modem (but not the IP), so this indicates whatever AiProtection is firing on came from WAN.

Edit: Colin is right, Huawei is your modem not the first hop

 

[agilani]

Hi,

I just upgraded firmware, reinstalled entware, enabled AiProtection - and I suddenly receive a LOT of "Alert type : Vulnerability Protection"-emails - maybe 15-20 per day. It is too much. The email contains the source IP (which I ran whois on and I can see there's a lot of "DigitalOcean, LLC"-IP-addresses) and destination IP is the WAN-side of my router...

Now, I'm curious to know - is there an easy way to know which of my devices behind NAT-routing, that is responsible for all these connections to DigitalOcean-servers? I'm a bit tired of all these "RT-AC87U's AiProtection detected suspicious networking behavior and prevented your device making a connection to a malicious website (see above and the attached log for details)", besides I'm curious to know if this is a legit connection - or something I should block with IPtables. I have several IOT-devices: chromecast, netatmo, lifx-lights and I suspect maybe one of these devices is the culprit - but I dont know how I can investigate this as I imagine the same second AiProtection sees an attempt to e.g. IP-address 159.65.179.135, it would be blocked...

At least I tried:

netstat | grep -i 159.65.179.135

But it shows nothing... This IP address has been blocked around 7 times, in the past 8 hours. So approximately 1 attempt or AiProtection-email every hour. But then the IP address changes, so I guess this device has a list of several IP addresses to DigitalOcean, it could try...

Any ideas you could share with me? I would be happy to learn
I also just installed snort (2.9.11.1-5) on the router, but I have no experience in using this - I would be happy if this can be used to e.g. trace a device on my LAN doing something like this (and I think it can, but I haven't learned how yet)...

The new code has a menu that shows a full list of everything blocked with src and destination. The e-mails are pretty much useless.

take a look at (assuming our ip address is default 192.168.1.1)

http://192.168.1.1/AiProtection_MaliciousSitesBlocking.asp
and
http://192.168.1.1/AiProtection_IntrusionPreventionSystem.asp


and the dhcp list under system log if you want to track down a mac address
http://192.168.1.1/Main_DHCPStatus_Content.asp

 

[Martin - SNBuser]

The MAC address will be that of the device connected to your router's WAN port, typically a cable modem or gateway, because that is the direction the attack is coming from. So you can see that is completely useless information because the MAC address will always be the same.

Now that I think of it, my ISP gave me a cable modem, which is used to separate internet traffic from the coax cable that contains both TV+internet-signals. This cable modem is just before my Asus-router. The cable modem is a "netgear genie C6250EMR" and at IP 192.168.100.1 I can access this router, which says that it's MAC-address is "a4:2b:8c:8d:30:56". Now, I looked up on how I connected my own Asus-router with the ISP-provided Netgear cablemodem and it looks like I've put the Netgear-router in "bridged"-mode and in the webUI I've chosen "No" to use "Router mode" (because my Asus-router should act as router for my devices).

If I go into my netgear-webUI and choose "Event Log", I get a LOT of errors, please see example below:

2018-6-21, 08:48:42 Error (4) DHCP RENEW WARNING - Field invalid in response v4 option;CM-MAC=a4:2b:8c:8d:30:56;CMTS-MAC=c0:bf:c0:64:fc:40;CM-QOS=1.1;CM-VER=3.0;
2018-6-24, 06:34:35 Critical (3) Started Unicast Maintenance Ranging - No Response received - T3 time-out;CM-MAC=a4:2b:8c:8d:30:56;CMTS-MAC=c0:bf:c0:64:fc:40;CM-QOS=1.1;CM-VER=3.0;
2018-6-24, 08:48:42 Error (4) DHCP RENEW WARNING - Field invalid in response v4 option;CM-MAC=a4:2b:8c:8d:30:56;CMTS-MAC=c0:bf:c0:64:fc:40;CM-QOS=1.1;CM-VER=3.0;
2018-6-25, 02:19:26 Critical (3) Started Unicast Maintenance Ranging - No Response received - T3 time-out;CM-MAC=a4:2b:8c:8d:30:56;CMTS-MAC=c0:bf:c0:64:fc:40;CM-QOS=1.1;CM-VER=3.0;
2018-6-25, 20:48:42 Error (4) DHCP RENEW WARNING - Field invalid in response v4 option;CM-MAC=a4:2b:8c:8d:30:56;CMTS-MAC=c0:bf:c0:64:fc:40;CM-QOS=1.1;CM-VER=3.0;
2018-6-26, 05:08:27 Critical (3) Started Unicast Maintenance Ranging - No Response received - T3 time-out;CM-MAC=a4:2b:8c:8d:30:56;CMTS-MAC=c0:bf:c0:64:fc:40;CM-QOS=1.1;CM-VER=3.0;
2018-6-27, 08:48:42 Error (4) DHCP RENEW WARNING - Field invalid in response v4 option;CM-MAC=a4:2b:8c:8d:30:56;CMTS-MAC=c0:bf:c0:64:fc:40;CM-QOS=1.1;CM-VER=3.0;
2018-6-28, 02:32:08 Critical (3) Started Unicast Maintenance Ranging - No Response received - T3 time-out;CM-MAC=a4:2b:8c:8d:30:56;CMTS-MAC=c0:bf:c0:64:fc:40;CM-QOS=1.1;CM-VER=3.0;

I don't think this is a good sign... Now, I'm definately not a "bridged-mode"-expert, but is it possible that my Asus-router (after the "bridge-mode"-Netgear-cable-modem) is interfering with the Netgear-traffic and this causes all the AiProtection-logs in the Asus-router while the Netgear-cable-modem gets all these error messages? Of course I could just try to disable AiProtection, but I'm also asking because I don't understand what's going on - I don't think the culprit with the "offending" MAC-address is one of my own devices (which are on 192.168.1.0/24)....

 

[Martin - SNBuser]

The MAC address will be that of the device connected to your router's WAN port, typically a cable modem or gateway, because that is the direction the attack is coming from. So you can see that is completely useless information because the MAC address will always be the same.

Ok, understood - thanks, it is not the MAC-address of the receiving device, but the MAC address of the sending device, thanks...

 

[Martin - SNBuser]

I don’t have the time right now to give you a more detailed answer for your other questions, but briefly to put you at ease, 83.88.x.1 is the first hop (this is the Huaiwei device) out from your router (83.88.x.191). All traffic coming from WAN would bear the MAC of that hop your modem (but not the IP), so this indicates whatever AiProtection is firing on came from WAN.

Edit: Colin is right, Huawei is your modem not the first hop

Sorry, I didn't understand "Huawei is your modem not the first hop"? Huawei is not my modem, I'm pretty sure of: I have Asus RT-AC87U at 192.168.1.1 and an ISP-provided Netgear-cable modem which I can reach at 192.168.100.1? Huawei and the MAC-address is from the "attacking" device, as I understand it now?

Anyway, here's "route" from 192.168.1.1:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
83.88.69.1      *               255.255.255.255 UH    0      0        0 eth0
169.254.39.0    *               255.255.255.0   U     0      0        0 br0
83.88.69.0      *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         vlanif12.taanqa 0.0.0.0         UG    0      0        0 eth0

So let me see if I get this right:
My router: 192.168.1.1 has this webpage: http://192.168.1.1/AiProtection_IntrusionPreventionSystem.asp which raises a LOT of red flags and also says/claims that it is protecting my from a lot of "External Attacks", roughly 1 "attack" every hour. Let me give some examples of what this AiProtection-webpage says it is protecting me from: "EXPLOIT Netcore Router Back door Access" (e.g. from 159.89.45.14,) + "Exploit Remote Command Execution via Shell Script-2" (e.g. from 159.89.45.14) + "NTP ntp.org Network Time Protocol Windows Daemon getEndptFromIoCtx Denial of Service (CVE-2016-9312)" (from IP 51.15.13.124) - well that's about the 3 different kind of messages... These messages sounds a bit scaring, as if I didn't enable AiProtection, my network is continously getting attacked, it ofcourse worries me abit if it is true (I've enabled firewall and "shields up" reports that all my ports are "stealth" which I thought would secure me from all attacks, but apparently or maybe not all?)...

The source changes but here are some additional IP address-examples: 159.89.45.14, 212.237.6.183, 104.244.73.53, 159.65.179.135, 178.128.169.56 etc - the destination is always the same: 83.88.69.191 (am tired of obfuscating it, like in the beginning of my posts) which is also the external WAN-side IP address I can lookup using e.g. whatismyipaddress.com.

So, something is sending out malicious packages - "attacks" (in AiProtection-terms) to destination 83.88.69.191. This I think is far from my 192.168.1.0/24-network, I think it is something on my ISP-side? Am I right, if you look at the "route"-info my 192.168.1.1-Asus-router is telling? And should I worry about these "attacks"?

Sorry, am a bit confused as I went from getting 0 "attacks" to approx 1 every hour or so and if I can safely ignore these "attacks" then maybe I would be interested in tweaking AiProtection into not showing these "attacks"...

 

[ColinTaylor]

If you search the forums you will find lots of posts about AiProtection reporting these sorts of attempted attacks. It's nothing unusual, it's the internet . Just ignore it. You wouldn't have seen them before if you weren't previously behind a "bridged" device.

Regarding the cable modem log; that looks pretty normal.

 

[Martin - SNBuser]

If you search the forums you will find lots of posts about AiProtection reporting these sorts of attempted attacks. It's nothing unusual, it's the internet . Just ignore it. You wouldn't have seen them before if you weren't previously behind a "bridged" device.

Regarding the cable modem log; that looks pretty normal.

Ok, thanks a lot, I'll search the forum (I also did it a bit, but apparantly not enough). I was also behind the "bridged" netgear-cable-modem before my latest firmware update - and I didn't receive all these mails and warnings/errors. But I think, then the conclusion must be that the latest Asus-(Merlin) firmware is more cautionous and warns a lot more than it should and at least more than the previous version I had (which I think was around firmware version 380 - now I have version 384.5, I skipped a few updates)... I'll see/try to search and investigate, if I can still enable AiProtection but not receive all these emails about "attacks" - I only want mails if there are severe warnings or attacks happening...

 

[ColinTaylor]

I think the comments from RMerlin is this thread says it all.

That IPS is doing more harm than good so far IMHO. Most users don't have the technical know-how to properly understand its reports. What it does is more about showing off that it's blocking something than providing an actual security improvement.

It's just causing unnecessary panic. The router's firewall was already blocking these connection attempts...

 

[Martin - SNBuser]

I think the comments from RMerlin is this thread says it all.

Oh, thanks a lot... I've just been reading up on it also, it's strange I first discover now that it's just some kind of Asus marketing crap, I actually thought it was good and an "extra security layer". I googled and also found out they're saying that "With its commercial-grade intrusion prevention system (IPS), powered by Trend Micro™ Smart Home Network, AiProtection can prevent attacks like WannaCry from taking advantage of vulnerabilities on your network, such as open ports. By checking every single packet of data coming from the internet, AiProtection can detect and block any suspicious attempts to infiltrate your network, protecting all your connected devices." - it sounds like it's doing something more advanced than just pure "iptables" - that's why I've enabled it and used AiProtection for years, without wondering too much about it (because it's only recently I'm seeing/getting all these mails about socalled "attacks")... I just made a small test, to bether understand AiProtection IPS: First I used "iptables-save > ipt.txt", next I disabled AiProtection / Two-Way IPS. Then again I used "iptables-save > itp2.txt" and made a diff-comparison. I however only see different package numbers, I don't see that "AiProtection / Two-Way IPS" had any effect on iptables. But I understand it is something that is working before iptables blocks any packages (otherwise it wouldn't be able to log what it has "protected" me from)....

I might disable it in the future, if I get too annoyed by all these AiProtection-emails...... Thanks a lot ColinTaylor (and the rest of you), for helping me out here, where I suspected I "might be under attack after this firmware upgrade"

 

[agilani]

I think the comments from RMerlin is this thread says it all.

With all due respect, I disagree. I have port forwarding enabled for quite a few devices and see that AiProtection is blocking a lot of bot traffic from Russia trying to map out my devices. Why would i want a bot hitting my web servers over and over when i can have AiProtection block it?

I haven't seen any traffic dropped form high upnp ports though. I just wish we could get more details about what ports and traffic it is checking.

 

[kfp]

With all due respect, I disagree. I have port forwarding enabled for quite a few devices and see that AiProtection is blocking a lot of bot traffic from Russia trying to map out my devices. Why would i want a bot hitting my web servers over and over when i can have AiProtection block it?

I haven't seen any traffic dropped form high upnp ports though. I just wish we could get more details about what ports and traffic it is checking.

I don’t think anyone is saying it’s completely useless, just that it’s causing more problems than it is solving.

And to be honest if you’re hosting a web server and only relying on AiProtection you’re doing it wrong. It’s meant for people who’s not technical enough to set up something like Skynet.

Regarding high ports, AiProtection probably mainly relies on IP reputation that TrendMicro maintains and updates. And you’re probably not seeing traffic on high ports dropped simply because those IPs aren’t scanning it.

 

[Martin - SNBuser]

With all due respect, I disagree. I have port forwarding enabled for quite a few devices and see that AiProtection is blocking a lot of bot traffic from Russia trying to map out my devices. Why would i want a bot hitting my web servers over and over when i can have AiProtection block it?

I haven't seen any traffic dropped form high upnp ports though. I just wish we could get more details about what ports and traffic it is checking.

Could you please tell in which way AiProtection is blocking (I mean: What does your AiProtection log messages say)? I think for around 1,5 years ago I experimented and setup a public webserver (nginx) and had these rules with iptables (brute-force-protection, I cannot exactly remember how they worked):

-A publicWeb -m state --state NEW -m recent --set --name WEB --rsource
-A publicWeb -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name WEB --rsource -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "IPTABLES/RATE-LIMIT: "
-A publicWeb -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name WEB --rsource -j DROP
-A publicWeb -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Web-server guest: " --log-tcp-sequence --log-tcp-options --log-ip-options
-A publicWeb -d 192.168.1.1/32 -i eth0 -p tcp -m tcp --dport 81 -m state --state NEW,ESTABLISHED -j ACCEPT
-A publicWeb -j DROP

So I would DEFINATELY be interested in knowing what AiProtection does, in addition to something like this with BFP (brute-force-protect, limiting the number of attemps), in case I later decide to expose one or several ports to the internet...

 

[kfp]

So I would DEFINATELY be interested in knowing what AiProtection does

It will query an IP reputation registry that is maintained by TrendMicro, and block traffic if the IP is in a ‘badlist’.

 

[agilani]

Could you please tell in which way AiProtection is blocking (I mean: What does your AiProtection log messages say)? I think for around 1,5 years ago I experimented and setup a public webserver (nginx) and had these rules with iptables (brute-force-protection, I cannot exactly remember how they worked):

-A publicWeb -m state --state NEW -m recent --set --name WEB --rsource
-A publicWeb -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name WEB --rsource -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "IPTABLES/RATE-LIMIT: "
-A publicWeb -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name WEB --rsource -j DROP
-A publicWeb -m limit --limit 1/min --limit-burst 1 -j LOG --log-prefix "Web-server guest: " --log-tcp-sequence --log-tcp-options --log-ip-options
-A publicWeb -d 192.168.1.1/32 -i eth0 -p tcp -m tcp --dport 81 -m state --state NEW,ESTABLISHED -j ACCEPT
-A publicWeb -j DROP

So I would DEFINATELY be interested in knowing what AiProtection does, in addition to something like this with BFP (brute-force-protect, limiting the number of attemps), in case I later decide to expose one or several ports to the internet...

It won't let me cut and paste the aiprotection screen.

But here are just a few - even if they are placebo, it puts a smile on my face even if they aren't reflective of my setup. These are types of things i would typically see from an IPS solution which is more than reputation based lookup from skynet:

• web oracle weblogic Server insrecure deserialization cve2017-10271
• web d-link dsl command injections
• Web goahead login.cgi information disclosure vulnerability
• RDP Brute Froce
• Web Masscan Scanner Activity
• Exploit AsusWRT 3.0.0.4.376_1071 Lan Backdoor Command Injection
• Web Microsoft IIS WebDAV CVE2017-7269

These are all coming from random and malicious IP's toward the public ip of my router and forwarded internal ports.

I seriously looked at having a commercial grade UTM appliance for home. Unfortunately the cheapest palo alto was too expensive and didn't even go past 50mb/s. Pfsense with suricata worked, but I had to dedicate an i7 processor to handle the 250mb/s throughput and was too cumbersome and yet another managment point to deal with.

After you enable it, using the latest code base go to this link and see for yourself.
http://192.168.1.1/AiProtection_IntrusionPreventionSystem.asp

I would disable the e-mails. They are completely useless.

AiProtection is far from pefrect though. I still see hits against my HIPS on some of the forwarded ports. I hate relying on host based controls though and I'm pretty sure most home users aren't running commercial vulnerability scanners against their home.