Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Under attack, anything I should do?

    Scheduled Pinned Locked Moved General pfSense Questions
    68 Posts 19 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AndyRHA
      AndyRH
      last edited by

      Hotels likely do not block 1194 which is OpenVPN and frequently used by business travelers. That is what I use for WireGuard.

      I disagree about not opening ports. That is the whole point of having a good firewall and good services behind it. My web server is getting many hits per second.

      o||||o
      7100-1u

      R GertjanG JKnottJ 3 Replies Last reply Reply Quote 0
      • R
        revengineer @elvisimprsntr
        last edited by

        @elvisimprsntr ICMP pings are blocked. No need to scan with shields up, I know which ports are open and why. Tailscale is worth looking at. I have it installed but am not using it. I am not sure this is a lesson to learn. If openvpn is secure, then all should be good. So perhaps it is just an annoyance.

        1 Reply Last reply Reply Quote 0
        • R
          revengineer @AndyRH
          last edited by

          @AndyRH I have certainly stayed at hotels that block 1194. When I ran into this, I installed a second instance of openvpn on port 443. I do have wireguard installed and it's working well. Perhaps that can be the backup for port 1194 in the future.

          So far I gather I will be waiting until the attacks settle down. Not sure why the attacker is not giving up after days of hammering a port on which traffic is dropped without a return.

          T AndyRHA 2 Replies Last reply Reply Quote 0
          • T
            tgl @revengineer
            last edited by

            @revengineer
            I think you are feeling a false sense of exceptionalism. There's nothing in what you've said to make me think that you are specifically getting attacked. Everybody with an IP address is getting scanned constantly by bots looking for weak spots. If the packet rate got high enough to consume most of your bandwidth, then maybe somebody is intentionally trying to DDOS you, but it didn't sound like you are anywhere near that.

            1 Reply Last reply Reply Quote 1
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @revengineer
              last edited by johnpoz

              @revengineer said in Under attack, anything I should do?:

              different source IPs and ports at a rate of about 5 per second

              Call the record books - its the new largest ddos ever recorded ;)

              Dude its NOISE.. really yes the internet is noisy..

              I don't even log all the noise, only the syn, an a few common udp ports.. I log 3000 last entries, and it only goes back like 5 hours.

              log.jpg

              Users that are new to a firewall that actually logs, unlike most soho wifi routers are surprised at the amount of noise there is..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              R 1 Reply Last reply Reply Quote 1
              • M
                mer @elvisimprsntr
                last edited by

                @elvisimprsntr said in Under attack, anything I should do?:

                Consider this a vauable lesson to NEVER, under any circumstances, open any ports.

                If everyone followed this nothing would work.
                Email, DNS, NTP, nothing.

                In fact if noone ever opened any ports the internet would probably be broken.

                I think the real lesson is "any port opened has a probability >99% of being scanned by bots"

                443 is https, typically leading to a web server, web servers are typically a "good" point of attack.
                All the openvpn client configs I've seen typically reference ports 1194 and 443 as fallback.

                E 1 Reply Last reply Reply Quote 0
                • E
                  elvisimprsntr @mer
                  last edited by elvisimprsntr

                  @mer said in Under attack, anything I should do?:

                  If everyone followed this nothing would work.
                  Email, DNS, NTP, nothing.

                  In fact if noone ever opened any ports the internet would probably be broken.

                  I have exactly zero (0) manual port forwarding open and I have no issues.

                  The OP chose to open/use port 443 for OpenVPN, which they saw the results.

                  Screenshot 2024-09-05 at 5.49.07 AM.png

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @elvisimprsntr
                    last edited by

                    @elvisimprsntr you understand you are seeing the same hits right.. none of those ports being seen in my logs are open..

                    Unless your behind a nat, and the internet can not talk to pfsense wan - your seeing the same traffic.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    E 1 Reply Last reply Reply Quote 0
                    • R
                      ronv42 @johnpoz
                      last edited by

                      Noise is sometimes an understatement. When a DDOS group gets your IP address and keeps hammering at a single port for 24 hours from Brazil. Port isn't open but they don't care compute, and network is cheap to look for open ports and vulnerability.

                      6938cb76-fc55-4ec7-ac11-c36d50a69d47-image.png

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • E
                        elvisimprsntr @johnpoz
                        last edited by

                        @johnpoz

                        Yep.

                        I stopped looking at WAN side logs because there is so much noise that it’s pointless to look at, because there is not a [redacted] thing you can do about it other than make sure there are no manual or UPnP port forwards and keep all your systems updated.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @ronv42
                          last edited by

                          @ronv42 what is that about 8k hits in 2 hours.. Works out to what 1 hit per second or so.. Again lets add this to the record books as huge dos attack ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 1
                          • Bob.DigB
                            Bob.Dig LAYER 8
                            last edited by Bob.Dig

                            If this annoys you, you could make an exception for your mobile phone provider only (Source-Address ASN with pfBlocker). Then, if you want to use hotel-wifi, you would only open the port manually to that IP or disable your exception for the time being. John is probably right that this is not enough for a DDoS.

                            1 Reply Last reply Reply Quote 0
                            • P
                              Patch @revengineer
                              last edited by Patch

                              @revengineer said in Under attack, anything I should do?:

                              Out of an abundance of caution I locked down port 443, so all requests are now blocked.

                              I guess you did this by white listing the IP addresses you allow.
                              I use an IP alias in pfsense for this which includes the address of my laptop while I'm on the road (via a dynamic domain name client on my laptop).

                              @Bob-Dig said in Under attack, anything I should do?:

                              you could make an exception for your mobile phone provider only

                              Yep that can be included in the above alias as well if required.

                              1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan @AndyRH
                                last edited by

                                @AndyRH said in Under attack, anything I should do?:

                                My web server is getting many hits per second

                                Thanks for the reminder.
                                Look like my web server's port 80 has an issue : there are none 😵

                                @AndyRH said in Under attack, anything I should do?:

                                Hotels likely do not block 1194 which is OpenVPN and frequently used by business travelers

                                Hotel here, that's what I use pfSense for, with the captive portal 👍
                                I block just 1 (one) port : any destination, TCP 25. For, imho, obvious reasons.
                                And as Andy said, the real clients, not the tourists but the professional one, use some kind of VPN. I'm not going to block them as they are good for 75 % of the turnover.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • AndyRHA
                                  AndyRH @revengineer
                                  last edited by

                                  @revengineer said in Under attack, anything I should do?:

                                  I have certainly stayed at hotels that block 1194.

                                  Cycle through other VPN ports. Some will be open.

                                  80, 443, 20 and 21 will always be scanned frequently. I am sure there are others that are favorites.

                                  For those afraid of the jungle internet, check your logs, those popular ports will have been scanned in the last few seconds.

                                  o||||o
                                  7100-1u

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @Gertjan
                                    last edited by

                                    @Gertjan said in Under attack, anything I should do?:

                                    Hotel here

                                    I have been to hotels where vpn is blocked on say 1194, because they want you to pay for the "special" internet package that allows for it ;)

                                    So it is a thing ;) heheh

                                    Its funny you stay at a budget hotel and you get wifi and breakfast for free, you stay at a higher end place and they charge you for wifi and breakfast ;) hehehe

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                    1 Reply Last reply Reply Quote 1
                                    • GertjanG
                                      Gertjan @revengineer
                                      last edited by

                                      @revengineer said in Under attack, anything I should do?:

                                      Is there anything I should do other than waiting these attacks out?

                                      That's most probably the only option you have.

                                      A DOSS has just one goal : saturating your down-link thus saturating your uplink.
                                      Even if there is a way to 'suck up' all the useless data, your 'pipe' to the net is bandwidth limited, and the goal is : filling it up.
                                      It doesn't matter which port is focused, but an 'open' port will use a lot more 'firewall/router', so if there is one, it will be used, as the DOSser will get more bang for the buck.

                                      If a solution exist, it's the one that the ISP can give you :
                                      As you've said : get another IP.
                                      Or an active DOS protection system, ISP based.
                                      So, next time when you switch ISP, make these criteria part of your selection-list.

                                      Or, solve the problem with pure 'Kevin style' : as DOS is a question of "who has the biggest", get that symmetrical 10 Gbit ISP connection.
                                      Now, when a DOSser comes around, he has to bring in a lot of DOS power to fill up that pipe. And better : when you are DOSSed now, it will show up at the ISP-dashboard and as the ISP tends to protect that amount bandwidth avaible, they will act.
                                      ( and while doing so, they will also terminate your subscription as you're to hot to handle ^^)

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks @revengineer
                                        last edited by

                                        @revengineer said in Under attack, anything I should do?:

                                        My home IP address has been under attack for a week. I opened port 443 to use with OpenVPN because it is a port that is not blocked in hotels. Over a week ago, I noticed that this port is being pounded by a range of different source IPs and ports at a rate of about 5 per second. There is no indication that anyone got through the firewall. Out of an abundance of caution I locked down port 443, so all requests are now blocked. However, the rate of attack remains the same. My cable provider does not provide a simple option to change the public IP address. Is there anything I should do other than waiting these attacks out?

                                        Thanks for any advice in advance.

                                        Opening port 443 to incoming connections on your firewall's WAN interface makes your setup appear to be a web server. As mentioned by others, web servers are favorite targets for all manner of vulnerability searches using various exploit kits. Nefarious folks are always searching for web servers to compromise.

                                        The normal open port for OpenVPN is UDP port 1194. Most vulnerability scanners won't bother trying to get in via port 1194 because they know guessing the correct certificate key is darn near impossible. So, short answer there is that serious hackers usually don't waste their time scanning for an open UDP port 1194. HTTPS (port 443), on the otherhand, is often times a very attractive target as they are looking for unpatched web servers to try and gain access via an exploit kit.

                                        But 5 hits per second is honestly nothing. A true DDoS attack would be thousands of attempts per second.

                                        If I were you, I would reconsider opening port 443 on the WAN. All it would take is a slight configuration mistake on your end of the firewall to make your firewall's web GUI login available on the Internet. I'm sure you would not want that! If port 1194 access is giving you trouble from some locations (as in being blocked by the admin whose network you are currently using), then perhaps Tailscale is a viable workaround ??

                                        GertjanG 1 Reply Last reply Reply Quote 0
                                        • GertjanG
                                          Gertjan @bmeeks
                                          last edited by

                                          @bmeeks said in Under attack, anything I should do?:

                                          I would reconsider opening port 443 on the WAN

                                          @revengineer

                                          These days, for what, 50 €/$ a year ? you have a domain name, a cloud based web space, with a web server at your choice : nginx or apache2, that supports several PHP versions and extension, free snapshots and backups - 'minor' mail support and the likes.
                                          And when it goes the phoenix way, it's easy to recover.
                                          Already the electricity bill of a web server, each year, will be more as the 50 $.

                                          Btw : hosting company do have good DOS protection out of the box, as they have thousands of servers to protect. After all : if site goes down, the entire server goes with it, hosting hundreds or thousands other web sites as well. They will black hole the DOS traffic at their border routers.

                                          But I get it : hosting a web server (any server) on your own premises, behind a soHO ISP line, on paper, it can work.
                                          A boy's dream, as it was for me, back then, I admit.
                                          And maybe you have your special reason to host stuff yourself, and if it's ok for you, it's ok for me.
                                          But do get that big pipe 😊

                                          No "help me" PM's please. Use the forum, the community will thank you.
                                          Edit : and where are the logs ??

                                          Bob.DigB 1 Reply Last reply Reply Quote 1
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            Yup 5 connections a second is not a DOS attack. Your IP has been flagged by scanners because port 443 was open at one time so you are seeing a higher that average number of connection attempts. Not much you can do other than wait for it to stop / ignore it or change your IP address.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.