DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Firewall Settings against repeated attacks
- krisomilo
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
24 Jun 2020 05:38 #96489
by krisomilo
Firewall Settings against repeated attacks was created by krisomilo
I am using a Vigor 2832 Annex A Firmware 3.9.2 (replacing an earlier model) - I run my own network but am not a technically qualified person. I've never used for example any advanced features and for 20 years or more I've been left in peace. I have two open ports: one for a Citrix Server and one for Plex. (Maybe I should never have left them open but it seemed logical at the time). The Citrix machine has now been infected by ransomeware - fortunately I was able to recover an Acronis Image but as soon as I set its IP address for NAT purposes (having switched off the damaged machine) the new machine was re-attacked and contagion then spread to the NAS backup units...
I managed to find an image that was only 7 days older and now have the repaired machine running on an IP that is not NAT'd. I was lucky!!
My gut reaction is to block all incoming IPs save ones that I specify (family & friends & Email provider Skype and so on) but not sure if this would then block downloads from web-site (updates or other services). The limit of 16 IPs in the "Black List" would pretty soon be swamped but of course hackers will try infinite IPs so that isn't an option.
How has anyone dealt with such problems please? Any guidance / advice very gratefully received!!!!
Jon
I managed to find an image that was only 7 days older and now have the repaired machine running on an IP that is not NAT'd. I was lucky!!
My gut reaction is to block all incoming IPs save ones that I specify (family & friends & Email provider Skype and so on) but not sure if this would then block downloads from web-site (updates or other services). The limit of 16 IPs in the "Black List" would pretty soon be swamped but of course hackers will try infinite IPs so that isn't an option.
How has anyone dealt with such problems please? Any guidance / advice very gratefully received!!!!
Jon
Please Log in or Create an account to join the conversation.
- admin3
- Offline
- Site Admin
Less
More
- Posts: 604
- Thank you received: 0
24 Jun 2020 16:08 #96495
by admin3
Forum Administrator
Replied by admin3 on topic Re: Firewall Settings against repeated attacks
That's great you were able to recover your data
With remote desktop software, make sure that the username/password are secure as automated attacks on RDP etc are quite common now unfortunately. Trying to "black list" attacking IPs is probably unworkable these days, it also means that they'd try and potentially gain access before you can block them.
You can lock down access ("white list") to remote services easily on the router from the NAT > Open Ports or Port Redirection entries. This won't affect outgoing traffic from your network, just access to those port forwards.
In each Port Redirection or Open Ports entry you've set up, select an IP Group or IP Object as the "Source IP". Then the router will only allow IPs in the IP Group/Object to access those port forwards from the Internet.
Where remote connection IPs aren't fixed, you could potentially use the router's VPN server to get access to services.
With remote desktop software, make sure that the username/password are secure as automated attacks on RDP etc are quite common now unfortunately. Trying to "black list" attacking IPs is probably unworkable these days, it also means that they'd try and potentially gain access before you can block them.
You can lock down access ("white list") to remote services easily on the router from the NAT > Open Ports or Port Redirection entries. This won't affect outgoing traffic from your network, just access to those port forwards.
In each Port Redirection or Open Ports entry you've set up, select an IP Group or IP Object as the "Source IP". Then the router will only allow IPs in the IP Group/Object to access those port forwards from the Internet.
Where remote connection IPs aren't fixed, you could potentially use the router's VPN server to get access to services.
Forum Administrator
Please Log in or Create an account to join the conversation.
- krisomilo
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
25 Jun 2020 05:37 #96499
by krisomilo
Replied by krisomilo on topic Re: Firewall Settings against repeated attacks
Hi and thanks for your reply - I was becoming desperate as no-one had replied.
Passwords & RDP - noted and yes "black list" is impractical.
We use NAT of course but what I don't understand is are all ports closed by default?
If that is the case I presume that the way it works is that the port must let a request in on a specific port to the appropriate machine which then checks the username and pwd.
So my big mistake was that I ought not to have opened a port for Citrix or Plex as there was no need since when those machines are queried the credentials will be verified.
In fact it was the older Citrix machine that was compromised because altho we were running an AV program apparently and owing to the machine's age the AV wouldn't have recognised the malicious software. Good to be wise after the event! (The Plex machine has been blocking malicious IPs regularly)
I am trying to create a User Group as you suggest:-
- I assume I create a Profile then go to the next section and add users - but are these users internal or external? External surely?
- But then what is a sensible protocol to follow?
- I don't want to set something that locks me out so do I have to set a password in the Profile and does that then mean that a User included in that Profile will need two passwords?
Thanks
Passwords & RDP - noted and yes "black list" is impractical.
We use NAT of course but what I don't understand is are all ports closed by default?
If that is the case I presume that the way it works is that the port must let a request in on a specific port to the appropriate machine which then checks the username and pwd.
So my big mistake was that I ought not to have opened a port for Citrix or Plex as there was no need since when those machines are queried the credentials will be verified.
In fact it was the older Citrix machine that was compromised because altho we were running an AV program apparently and owing to the machine's age the AV wouldn't have recognised the malicious software. Good to be wise after the event! (The Plex machine has been blocking malicious IPs regularly)
I am trying to create a User Group as you suggest:-
- I assume I create a Profile then go to the next section and add users - but are these users internal or external? External surely?
- But then what is a sensible protocol to follow?
- I don't want to set something that locks me out so do I have to set a password in the Profile and does that then mean that a User included in that Profile will need two passwords?
Thanks
Please Log in or Create an account to join the conversation.
- admin3
- Offline
- Site Admin
Less
More
- Posts: 604
- Thank you received: 0
29 Jun 2020 16:47 #96540
by admin3
Yes, but that may not be the case if you've got UPnP enabled on the router, which allows services & devices to set up their own NAT port forwards. That's off by default but is enabled from the Applications > UPnP menu.
Nope, if a port is forwarded, anything on the internet can access that port unless you've specified a "Source IP" in the NAT Open Ports / Port Redirection rule. The device running the service would then need to perform the authentication.
User groups are for something different, that's to control access from inside your network. Try this instead, it covers how to control access to port forwards:
https://www.draytek.co.uk/support/guides/kb-firewall-rules-port-forwarding
Forum Administrator
Replied by admin3 on topic Re: Firewall Settings against repeated attacks
krisomilo wrote:
We use NAT of course but what I don't understand is are all ports closed by default?
Yes, but that may not be the case if you've got UPnP enabled on the router, which allows services & devices to set up their own NAT port forwards. That's off by default but is enabled from the Applications > UPnP menu.
krisomilo wrote:
If that is the case I presume that the way it works is that the port must let a request in on a specific port to the appropriate machine which then checks the username and pwd.
Nope, if a port is forwarded, anything on the internet can access that port unless you've specified a "Source IP" in the NAT Open Ports / Port Redirection rule. The device running the service would then need to perform the authentication.
krisomilo wrote:
I am trying to create a User Group as you suggest:-
- I assume I create a Profile then go to the next section and add users - but are these users internal or external? External surely?
User groups are for something different, that's to control access from inside your network. Try this instead, it covers how to control access to port forwards:
Forum Administrator
Please Log in or Create an account to join the conversation.
- krisomilo
- Topic Author
- Offline
- New Member
Less
More
- Posts: 6
- Thank you received: 0
29 Jun 2020 17:34 #96541
by krisomilo
Replied by krisomilo on topic Re: Firewall Settings against repeated attacks
Thanks - all more involved than I had imagined.
Meanwhile I have disconnected everything and experimenting.
I'll let you know how I get on. The link you sent me seems to be problematic:
Hmmm… can't reach this pagewww.draytek.co.uk refused to connect.
Which is crazy since I am often on the Draytek site trying to read up stuff!
Meanwhile I have disconnected everything and experimenting.
I'll let you know how I get on. The link you sent me seems to be problematic:
Hmmm… can't reach this pagewww.draytek.co.uk refused to connect.
Which is crazy since I am often on the Draytek site trying to read up stuff!
Please Log in or Create an account to join the conversation.
- destroyer
- Offline
- Junior Member
Less
More
- Posts: 94
- Thank you received: 0
29 Jun 2020 18:38 #96542
by destroyer
Replied by destroyer on topic Re: Firewall Settings against repeated attacks
If you are running old versions of Citrix then this is just a bad idea full stop but you'd be better just constructing a firewall policy in the router denying all inbound to the Citrix IP except for allowed IP addresses.
However I think you'd be best addressing the problem at source really - i.e how did ransomware appear on the system in the first place? Either it is out of date and has known exploits or there is some misconfiguration like a simple to guess password.
If you really are running an old Citrix service then one has to ask - Why? if it's just for remote access then just use RDP instead which, assuming you're running a supported version of Windows, which will be secure providing that you have stong passwords..
However I think you'd be best addressing the problem at source really - i.e how did ransomware appear on the system in the first place? Either it is out of date and has known exploits or there is some misconfiguration like a simple to guess password.
If you really are running an old Citrix service then one has to ask - Why? if it's just for remote access then just use RDP instead which, assuming you're running a supported version of Windows, which will be secure providing that you have stong passwords..
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek