Question for network/firewall experts

i am getting lots of hacking attempts on my router which maps one public ip to privates via nat..
they are tls packts looking to hack a openvpn server. unfortunately they are on ports that i need to leave open for devices on my private network that uses these like 53 (dns) 123 (ntp).. Anyone know of a way in iptables firewall to block these.. i see a lot of hacking attempts in my router log.

I dont think i can be hacked this way as my openvpn requires certs and not just user name passwords, but i try to block any attempts like this. I have given up just adding the ips to my blacklist as it is a never ending task.


something like this

actually at least this case i think i can block port 123 but only on tcp which the connections are coming in on as i belive ntp using udp only.

You could try using a whitelist approach... block all and then allow only certain IPs. Or some sort of geoblocking if that's an option.

Tagging our resident network engineer for additional thoughts @rlithgow1

1 Like

here is another one. rdp port

i do have a whitelist
I have some 143. subnets opened up in my whitelist mostly for amazon but nothing in
the 143.0.x.x subnets.
in my whitelist and here is my rule for rdp but i am still getting attempts through on that port as well and not sure how.. ie

/put "only allow remote desktop from whitelist"
add chain=forward action=accept protocol=tcp src-address-list=Whitelist dst-address= dst-port=3389 comment="Allow Remote Desktop tcp from Whitelist"
add chain=forward action=accept protocol=udp src-address-list=Whitelist dst-address= dst-port=3389 comment="Allow Remote Desktop udp from Whitelist"
add chain=forward action=drop protocol=tcp dst-address= dst-port=3389 comment="Drop All other Remote Desktop"
add chain=forward action=accept protocol=tcp src-port=3389 dst-port=1023-65535 comment="Allow all outgoing Remote Desktop tcp"
add chain=forward action=accept protocol=udp src-port=3389 comment="Allow all outgoing Remote Desktop udp"

Friends in Brazil?

weird is that where the ip is from.. i even load all brazil address into a foreign list and block those along with russia china etc. But apparently some ips are slipping through.. its a never ending battle.

Does OpenVPN support MFA? Not gonna stop the probes but it is an additional layer of security.

not sure but am sure not the version i have on my (not named for security) router. i also have wireguard on it but that seems to be a pain as at least on my phone it appears to start automatically on reboot even though it is not configured to.

I did turn of my older pptp vpn and that has major security issues.

suprissed they are not trying it on ftp data transfer port

firewall checker shows 3389 as not being open..

same for 123 not sure how they are even getting through.

@kahn-hubitat You should close all inbound ports. Set up a rule for anything initiated from a trusted port can go external. That way when DNS is updating (changing it's cycle) it can reach out and read from whatever global dns you have set. Same with NTP. As to your VPN is that done at the firewall or behind it?

1 Like

All ports other than those opened are closed by default.

The box i am talking about is behind the fireall which is on my public facing/different router.

I cant close all dns as i do have a dns server

Dns tcp is only open to that server. You can see in the pict above tcp dns is stealthed.

Right, so do I (have 2 actually. One on a windows domain, one on a linux box) both are closed inbound so no port redirection from outside in. They're both allowed outbound and automatically update from globals every 24hrs.

VPN is at the firewall itself (L2TP or ikev2) so that handles external authentication. I don't like opening any port redirects for anything. It's un-needed. If you're running a seperate VPN server, I'd put that on a DMZ with a tightly controlled rule from DMZ to trusted.

1 Like

Dns is.master so.needs to.allow tcp.port 53 for zone.updates but those specific servers only are allowed.

I have more than one vpn server. Nothing worse when u fck up your configuration and cant get at your router when you are 1500 miles away for months. I have redundant everything including a different vpn i can get on to fix things.

I have never been hacked other than an.idiot that.had too easy a email password. But i am diligent about keeping on top of it. I knew within 24 hours re the email hack. I.get a nightly report and saw the increased traffic.

Email sending is now not allowed on port 25 and on a non standard port.

1 Like

Most hack attempts appear to be brute force ie trying known passwords cross site etc. But they can take a toll.on your equipment if persistent. I try to block them at the packet level before they get to any equipment.

Yeah my firewall (Watchguard T35) autoblocks if too many things hit it unsolicited from an ip. I also autoblock most countries. I used to host my own email but got tired of it. domain name attached to a gmail account is fine with me. My spam is low and I don't care if they see the word "network" and then show a network ad, I block most ads anyway! LOL...

1 Like

Hi everyone. Speaking of whitelists, anyone know what I need to include for the remote app? May have gotten a little excited with my DNS privacy settings. :wink:

Happy holidays!

1 Like

Download the Hubitat app