i am getting lots of hacking attempts on my router which maps one public ip to privates via nat..
they are tls packts looking to hack a openvpn server. unfortunately they are on ports that i need to leave open for devices on my private network that uses these like 53 (dns) 123 (ntp).. Anyone know of a way in iptables firewall to block these.. i see a lot of hacking attempts in my router log.
I dont think i can be hacked this way as my openvpn requires certs and not just user name passwords, but i try to block any attempts like this. I have given up just adding the ips to my blacklist as it is a never ending task.
i do have a whitelist
and
I have some 143. subnets opened up in my whitelist mostly for amazon but nothing in
the 143.0.x.x subnets.
in my whitelist and here is my rule for rdp but i am still getting attempts through on that port as well and not sure how.. ie
/put "only allow remote desktop from whitelist"
add chain=forward action=accept protocol=tcp src-address-list=Whitelist dst-address=173.14.182.0/24 dst-port=3389 comment="Allow Remote Desktop tcp from Whitelist"
add chain=forward action=accept protocol=udp src-address-list=Whitelist dst-address=173.14.182.0/24 dst-port=3389 comment="Allow Remote Desktop udp from Whitelist"
add chain=forward action=drop protocol=tcp dst-address=173.14.182.0/24 dst-port=3389 comment="Drop All other Remote Desktop"
add chain=forward action=accept protocol=tcp src-port=3389 dst-port=1023-65535 comment="Allow all outgoing Remote Desktop tcp"
add chain=forward action=accept protocol=udp src-port=3389 comment="Allow all outgoing Remote Desktop udp"
weird is that where the ip is from.. i even load all brazil address into a foreign list and block those along with russia china etc. But apparently some ips are slipping through.. its a never ending battle.
not sure but am sure not the version i have on my (not named for security) router. i also have wireguard on it but that seems to be a pain as at least on my phone it appears to start automatically on reboot even though it is not configured to.
I did turn of my older pptp vpn and that has major security issues.
@kahn-hubitat You should close all inbound ports. Set up a rule for anything initiated from a trusted port can go external. That way when DNS is updating (changing it's cycle) it can reach out and read from whatever global dns you have set. Same with NTP. As to your VPN is that done at the firewall or behind it?
Right, so do I (have 2 actually. One on a windows domain, one on a linux box) both are closed inbound so no port redirection from outside in. They're both allowed outbound and automatically update from globals every 24hrs.
VPN is at the firewall itself (L2TP or ikev2) so that handles external authentication. I don't like opening any port redirects for anything. It's un-needed. If you're running a seperate VPN server, I'd put that on a DMZ with a tightly controlled rule from DMZ to trusted.
I have more than one vpn server. Nothing worse when u fck up your configuration and cant get at your router when you are 1500 miles away for months. I have redundant everything including a different vpn i can get on to fix things.
I have never been hacked other than an.idiot that.had too easy a email password. But i am diligent about keeping on top of it. I knew within 24 hours re the email hack. I.get a nightly report and saw the increased traffic.
Email sending is now not allowed on port 25 and on a non standard port.
Most hack attempts appear to be brute force ie trying known passwords cross site etc. But they can take a toll.on your equipment if persistent. I try to block them at the packet level before they get to any equipment.
Yeah my firewall (Watchguard T35) autoblocks if too many things hit it unsolicited from an ip. I also autoblock most countries. I used to host my own email but got tired of it. domain name attached to a gmail account is fine with me. My spam is low and I don't care if they see the word "network" and then show a network ad, I block most ads anyway! LOL...
Hi everyone. Speaking of whitelists, anyone know what I need to include for the remote app? May have gotten a little excited with my DNS privacy settings.
