Urgent File Server behind Firewall got hacked
-
- How to we prevent any such attack in future ?
Stop making it accessible via WAN. If your admin users want to do anything to your firewall, let them VPN in. The smaller your attack surface, the better. Haivng all these remote-control services running is just asking for trouble.
I am using pfsense 2.2.6
If you're concerned about security, perhaps you could keep the firewall updated?
-
Thank you KOM for a quick response.
Point noted –- VPN and upgrade firewall.
For the sake of it... can I dig any further info about that ip in the firewall logs.
Also curious to know can administrator password of a win server get hacked easily. Server is not even accessed through rdp so the password is never sent through remote session. Could it be someone from local team who already have the password accessed the server from remote location ( May be VPN to remote location and then accessed the server)
Also the ip which rdp in the server doesn't belong to our country.
Thank you for helping me solve my problem.
regards,
Ashima -
also have a read here http://www.infosecurity-magazine.com/news/surprise-ransomware-spreading-via/ about Teamviewer
or google "Surprise Ransomware Spreading Via TeamViewer" from infosecurity-magazine.com if you don't want to click on a link
if you do want to have remote access you could create a range of known IP addresses where the remote connection is coming from but VPN is better
-
Thank you for the input.
Surely going for vpn.
Any other pointers ?
Ashima
-
yes, only open outbound the ports being used for your server. same goes for inbound
-
can I dig any further info about that ip in the firewall logs.
There is really much more that you can do. You already have their IP address. Just harden your system and move on.
https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server
-
"Is it possible to get administrator password hacked remotely."
Out of curiosity what was your password.. More than likely something stupid ;) P@55w0rd! nobody would ever guess that - hehehe
Opening up remote desktop to the public internet is just asking for people to try and guess your password..
-
I admit having an outside RDP access open for my own access to an 2008R2.
But:
I'm NOT using the default port (not for protection, but because 4321 was easier to remember ;)).
Locked down the access from a couple of IP's only.
Password access is not good, I used a certificate for the RDP access.I agree that VPN access would be best.
Only experts might consider using old firewall software, but for some reason, they won't.
Do like us : keep your mean defense port up to date. Remove all 'practical' exceptions. -
"Is it possible to get administrator password hacked remotely."
Opening up remote desktop to the public internet is just asking for people to try and guess your password..Years ago before we used the "lock out after 3 tries" option on our email server we would get hit by attacks that threw 5 login attempts at the server every second for sometimes more than 24 hours. The "password dictionary" these guys use has become quite large and Im sure even faster now.
-
I would disable any RDP access on that server specially that teamviewer. you cant trust teamviewer anymore in regards when it comes security, last thing I heard from them is that hacker where able to login to computers using teamviewer without even entering a password.
-
Thank you all for the responses. Already implemented vpn at site.
@chpalmer, Just curious to know, How do you detect number of login attempts tried on a winserver.
regards,
Ashima -
How do you detect number of login attempts tried on a winserver.
You don't; Windows does. You set the Account Lockout Threshold to however many fails you want and then let it do its thing.
-
Don't count on Windows locking accounts out after X tries as a primary defense. What realistically happens is either it does nothing (since it doesn't apply to some accounts and doesn't affect them trying to guess usernames) or it gets users locked out constantly when someone keeps trying passwords every 5 seconds. You can set how this works in Group Policy. Windows isn't very good at mitigating RDP attacks on its own. The problem is the endpoints, not the protocol itself; encryption doesn't keep people from trying to make connections.
Teamviewer hacks - have seen it a few times, not good to rely on for remote access. You don't really control it. Easy for them to get hacked and then you can't do anything about it. It's happened before.
Where possible I restrict by source IP, which is helpful. If you can't do that, at least change the RDP port and apply something like pfBlocker (allows you to blacklist countries and things) which is better than nothing. Lately, a lot of attacks coming from my country too though. Make sure you have challenging passwords and maybe disable/rename default administrator accounts.
-
To be honest I know for sure that windows does not LOCK out the administrator account. That would be really really bad idea.. Since anyone on the network could lock out the admin from admin the machines ;)
Sure you can lock out account billy, but out of the box windows is not going to allow locking of the built in admin account.
There is NEVER a reason that rdp should be exposed to the public internet - NEVER!!! Now, if you need say some consultant to get into some server. Sure in a pinch you could forward the traffic in. But It should be done then when he is going to connect, and the forward should be locked down to the source IP he will be coming from.
Even then - better choice would to let him vpn in, etc.. Or you could use some support software from your machine, and then let him in to your server via your rdp session. So you can watch what he is doing, etc.
-
We don't use microsoft products for our email server. (other than its a product running on Windows server machine.)
We don't use webmail and setup usernames and (strong) passwords up for each of the desktops and in a case or two for their smartphones. Users never know their password for email. We also use pfblocker to control whats coming from areas which we have no business or desire to hear from.
The email server logs everything. We've never seen anyone actually try to hack into a username (other than "abuse") that we use here but you can't count on that. Its not if.. but when.
But I think the point of this thread is- We have enough with services that have to live with an open port or two in order to do their job. Don't open yourself up to more heartburn by opening up services to the world which can be easily set up on VPN's or other methods such as not allowing outside access at all. Or firewall rules allowing a set source.
-
Hello,
On the eve of new year my entire network seems to be hacked.
To patch up things temporarily I placed new firewall ( just acting as load balancer and vpn server) before my previous firewall.
So my current network is
isp2 –----
|
isp1----- load balancer ---- my old firewall ---- switches ----- Win Server, Desktops, APs.rdp and teamviewer are off WIn Server.....
The LAN network of load balancer is 192.168.5.0/24 . The WAN ip of old firewall is 192.168.5.2.
Suddenly, the arp of load balancer shows 192.168.5.2 allotted to a new mac id de:ad:f9:xx:xx:xx. And the old firewall doesn't get the WAN IP and my entire LAN doesn't get internet access. This is happening every 20-25 min. There are no vendor for mac id de:ad:f9.
I think some one internally intentionally or unintensionally spoofing a mac id and taking up firewall wan ip.
What should I do ? Meanwhile I have taken down my entire LAN network and connecting each device one by one to find the culprit. A tedious job but No other option.
Please Help me and save my NEW Year.....
Regards,
Ashima -
It's definitely intentional. The MAC address starts with the word "dead". You can't "accidentally" change you MAC address.
Since you have no idea where this MAC address is coming from, your local network is physically unsecure. You should either use your switch to figure out which port the address is coming from or start disconnecting devices while attempting to ARP ping or something.
-
Its a locally admin mac, you can tell since de the 2nd significant bit is 1, so that is locally admin mac address.
What is between your LB and your firewall? I would take it just a wire and or a switch where you would of setup this 192.168.5 as a transit network - there should be no other devices on this network other than possible other routers.. You show –- so take it just a wire between your LB and your firewall?
-
@johnpoz there is just a wired connection between LB and the Firewall…..There is no other device between them.
-
We literally removed almost all devices one by one almost 60 off them and reconnected them one by one. There are 3 more win 7 systems, win server, tally server and an AP which are yet be connected and tested. We shall continue the test tomorrow.
Meanwhile I have disabled DHCP in LB and given firewall a fixed ip.
What I don't understand how can a device connected to firewall LAN get a dhcp response from LB (dhcp was initially enabled in LB).
Any help please.
