Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jeff_the_Network_Guy
New Contributor III

Created on ‎10-02-2015 01:21 PM

What exactly does this mean?

We run a remote desktop server farm that our customers log into from their offices.  I've been taking a look at one customer's branch office's connectivity challenges and I noticed a bunch of events in the Threat log.   This particular office location keeps getting disconnected, and I want to check my side of things before I ask them to check their side.  Here's what I've seen in the log:

 

 

# Threat Type Event Date/Time Source Threat Level Destination Application Name Sent / Received Action 1 Failed Connection Attempts Failed Connection Attempts 13:51:49 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx RDP 87.45 KB / 173.79 KB timeout 2 Failed Connection Attempts Failed Connection Attempts 13:08:53 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 3 Failed Connection Attempts Failed Connection Attempts 13:08:53 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 4 Failed Connection Attempts Failed Connection Attempts 13:01:45 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 5 Failed Connection Attempts Failed Connection Attempts 13:01:45 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 6 Failed Connection Attempts Failed Connection Attempts 12:59:32 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 7 Failed Connection Attempts Failed Connection Attempts 12:59:32 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 8 Failed Connection Attempts Failed Connection Attempts 12:59:16 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 9 Failed Connection Attempts Failed Connection Attempts 12:59:16 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 10 Failed Connection Attempts Failed Connection Attempts 12:41:34 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 11 Failed Connection Attempts Failed Connection Attempts 12:41:34 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 12 Failed Connection Attempts Failed Connection Attempts 12:24:28 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 13 Failed Connection Attempts Failed Connection Attempts 12:24:28 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 14 Failed Connection Attempts Failed Connection Attempts 12:24:16 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 15 Failed Connection Attempts Failed Connection Attempts 12:24:16 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 16 Failed Connection Attempts Failed Connection Attempts 11:48:10 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 17 Failed Connection Attempts Failed Connection Attempts 11:48:10 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 18 Failed Connection Attempts Failed Connection Attempts 10:59:39 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 19 Failed Connection Attempts Failed Connection Attempts 10:59:39 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 20 Failed Connection Attempts Failed Connection Attempts 10:59:24 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 21 Failed Connection Attempts Failed Connection Attempts 10:59:24 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 22 Failed Connection Attempts Failed Connection Attempts 10:54:50 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx RDP 83.43 KB / 153.48 KB timeout 23 Failed Connection Attempts Failed Connection Attempts 10:54:50 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 24 Failed Connection Attempts Failed Connection Attempts 10:50:41 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx RDP 101.02 KB / 129.44 KB timeout 25 Failed Connection Attempts Failed Connection Attempts 10:50:41 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn

 

A more detailed event looks like this:

# 4 Action ip-conn Application Category unscanned Date/Time 15:55:33 Destination 207.xxx.xxx.xxx Destination Interface LAN Destination Port 3389 Event Failed Connection Attempts Level Log ID 11 Policy ID 1 Policy UUID 4da239a2-6e08-51e4-d0af-965838f35eb4 Protocol tcp Protocol Number 6 Sequence Number 22296805 Source 99.xxx.xxx.xxx Source Interface port1 Source Port 52202 Sub Type forward Threat 262144 Threat Level Low Threat Level low Threat Score 5 Threat Type Failed Connection Attempts Timestamp 10/2/2015, 3:55:33 PM Virtual Domain root

 

I'm not sure if this is something to be concerned with, or if it is a sign of a greater problem.  I have not been able to try to correlate the events as of yet.  The current Firewall that this is going through is a Fortigate 300C running v5.2.4,build688 (GA).  If nothing else, I'd love to know what "ip-conn" stand for.  IP connection reset?  Any hint would be helpful.

 

 

 

----------------(-- Jeff
----------------(-- Jeff
Labels:
43989
0 Kudos
1 REPLY 1
ede_pfau
SuperUser
SuperUser

Created on ‎10-02-2015 03:24 PM

Well, there are 2 reasons for a "failed connection attempt": legitimate traffic or malicious login attack. I'd suspect the latter - you could find evidence for this thesis by comparing the source IPs to the WAN IPs for your legitimate users/offices.

 

From what I see I believe you are allowing TCP/3389 directly from WAN to your servers. Am I right? If so, that's what I would call a real problem. Why don't you let the user dial in via (IPsec or SSL) VPN and then use RDP over a secure channel? Not that VPN gateway will not be attacked - but it takes a lot more effort to be successful with it than with attacking a server directly.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
10062
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.