Question for network/firewall experts

kahn-hubitat · October 25, 2022, 5:39pm

i am getting lots of hacking attempts on my router which maps one public ip to privates via nat..
they are tls packts looking to hack a openvpn server. unfortunately they are on ports that i need to leave open for devices on my private network that uses these like 53 (dns) 123 (ntp).. Anyone know of a way in iptables firewall to block these.. i see a lot of hacking attempts in my router log.

I dont think i can be hacked this way as my openvpn requires certs and not just user name passwords, but i try to block any attempts like this. I have given up just adding the ips to my blacklist as it is a never ending task.

thanks

kahn-hubitat · October 25, 2022, 5:43pm

something like this

kahn-hubitat · October 25, 2022, 5:45pm

actually at least this case i think i can block port 123 but only on tcp which the connections are coming in on as i belive ntp using udp only.

brad5 · October 25, 2022, 5:46pm

You could try using a whitelist approach... block all and then allow only certain IPs. Or some sort of geoblocking if that's an option.

Tagging our resident network engineer for additional thoughts @rlithgow1

kahn-hubitat · October 25, 2022, 5:54pm

here is another one. rdp port

i do have a whitelist
and
I have some 143. subnets opened up in my whitelist mostly for amazon but nothing in
the 143.0.x.x subnets.
in my whitelist and here is my rule for rdp but i am still getting attempts through on that port as well and not sure how.. ie

/put "only allow remote desktop from whitelist"
add chain=forward action=accept protocol=tcp src-address-list=Whitelist dst-address=173.14.182.0/24 dst-port=3389 comment="Allow Remote Desktop tcp from Whitelist"
add chain=forward action=accept protocol=udp src-address-list=Whitelist dst-address=173.14.182.0/24 dst-port=3389 comment="Allow Remote Desktop udp from Whitelist"
add chain=forward action=drop protocol=tcp dst-address=173.14.182.0/24 dst-port=3389 comment="Drop All other Remote Desktop"
add chain=forward action=accept protocol=tcp src-port=3389 dst-port=1023-65535 comment="Allow all outgoing Remote Desktop tcp"
add chain=forward action=accept protocol=udp src-port=3389 comment="Allow all outgoing Remote Desktop udp"

Eric.C.Miller · October 25, 2022, 5:54pm

Friends in Brazil?

kahn-hubitat · October 25, 2022, 5:57pm

weird is that where the ip is from.. i even load all brazil address into a foreign list and block those along with russia china etc. But apparently some ips are slipping through.. its a never ending battle.

brad5 · October 25, 2022, 5:57pm

Does OpenVPN support MFA? Not gonna stop the probes but it is an additional layer of security.

kahn-hubitat · October 25, 2022, 5:59pm

not sure but am sure not the version i have on my (not named for security) router. i also have wireguard on it but that seems to be a pain as at least on my phone it appears to start automatically on reboot even though it is not configured to.

I did turn of my older pptp vpn and that has major security issues.

kahn-hubitat · October 25, 2022, 6:02pm

suprissed they are not trying it on ftp data transfer port

kahn-hubitat · October 25, 2022, 6:04pm

firewall checker shows 3389 as not being open..

same for 123 not sure how they are even getting through.

rlithgow1 · October 25, 2022, 6:33pm

@kahn-hubitat You should close all inbound ports. Set up a rule for anything initiated from a trusted port can go external. That way when DNS is updating (changing it's cycle) it can reach out and read from whatever global dns you have set. Same with NTP. As to your VPN is that done at the firewall or behind it?

kahn-hubitat · October 25, 2022, 6:35pm

All ports other than those opened are closed by default.

The box i am talking about is behind the fireall which is on my public facing/different router.

I cant close all dns as i do have a dns server

Dns tcp is only open to that server. You can see in the pict above tcp dns is stealthed.

rlithgow1 · October 25, 2022, 6:37pm

Right, so do I (have 2 actually. One on a windows domain, one on a linux box) both are closed inbound so no port redirection from outside in. They're both allowed outbound and automatically update from globals every 24hrs.

VPN is at the firewall itself (L2TP or ikev2) so that handles external authentication. I don't like opening any port redirects for anything. It's un-needed. If you're running a seperate VPN server, I'd put that on a DMZ with a tightly controlled rule from DMZ to trusted.

kahn-hubitat · October 25, 2022, 6:39pm

Dns is.master so.needs to.allow tcp.port 53 for zone.updates but those specific servers only are allowed.

kahn-hubitat · October 25, 2022, 6:43pm

I have more than one vpn server. Nothing worse when u fck up your configuration and cant get at your router when you are 1500 miles away for months. I have redundant everything including a different vpn i can get on to fix things.

I have never been hacked other than an.idiot that.had too easy a email password. But i am diligent about keeping on top of it. I knew within 24 hours re the email hack. I.get a nightly report and saw the increased traffic.

Email sending is now not allowed on port 25 and on a non standard port.

kahn-hubitat · October 25, 2022, 6:52pm

Most hack attempts appear to be brute force ie trying known passwords cross site etc. But they can take a toll.on your equipment if persistent. I try to block them at the packet level before they get to any equipment.

rlithgow1 · October 25, 2022, 7:33pm

Yeah my firewall (Watchguard T35) autoblocks if too many things hit it unsolicited from an ip. I also autoblock most countries. I used to host my own email but got tired of it. domain name attached to a gmail account is fine with me. My spam is low and I don't care if they see the word "network" and then show a network ad, I block most ads anyway! LOL...

user1047 · November 29, 2022, 8:27pm

Hi everyone. Speaking of whitelists, anyone know what I need to include for the remote app? May have gotten a little excited with my DNS privacy settings.

Happy holidays!