Urgent File Server behind Firewall got hacked
-
Thank you for the input.
Surely going for vpn.
Any other pointers ?
Ashima
-
yes, only open outbound the ports being used for your server. same goes for inbound
-
can I dig any further info about that ip in the firewall logs.
There is really much more that you can do. You already have their IP address. Just harden your system and move on.
https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server
-
"Is it possible to get administrator password hacked remotely."
Out of curiosity what was your password.. More than likely something stupid ;) P@55w0rd! nobody would ever guess that - hehehe
Opening up remote desktop to the public internet is just asking for people to try and guess your password..
-
I admit having an outside RDP access open for my own access to an 2008R2.
But:
I'm NOT using the default port (not for protection, but because 4321 was easier to remember ;)).
Locked down the access from a couple of IP's only.
Password access is not good, I used a certificate for the RDP access.I agree that VPN access would be best.
Only experts might consider using old firewall software, but for some reason, they won't.
Do like us : keep your mean defense port up to date. Remove all 'practical' exceptions. -
"Is it possible to get administrator password hacked remotely."
Opening up remote desktop to the public internet is just asking for people to try and guess your password..Years ago before we used the "lock out after 3 tries" option on our email server we would get hit by attacks that threw 5 login attempts at the server every second for sometimes more than 24 hours. The "password dictionary" these guys use has become quite large and Im sure even faster now.
-
I would disable any RDP access on that server specially that teamviewer. you cant trust teamviewer anymore in regards when it comes security, last thing I heard from them is that hacker where able to login to computers using teamviewer without even entering a password.
-
Thank you all for the responses. Already implemented vpn at site.
@chpalmer, Just curious to know, How do you detect number of login attempts tried on a winserver.
regards,
Ashima -
How do you detect number of login attempts tried on a winserver.
You don't; Windows does. You set the Account Lockout Threshold to however many fails you want and then let it do its thing.
-
Don't count on Windows locking accounts out after X tries as a primary defense. What realistically happens is either it does nothing (since it doesn't apply to some accounts and doesn't affect them trying to guess usernames) or it gets users locked out constantly when someone keeps trying passwords every 5 seconds. You can set how this works in Group Policy. Windows isn't very good at mitigating RDP attacks on its own. The problem is the endpoints, not the protocol itself; encryption doesn't keep people from trying to make connections.
Teamviewer hacks - have seen it a few times, not good to rely on for remote access. You don't really control it. Easy for them to get hacked and then you can't do anything about it. It's happened before.
Where possible I restrict by source IP, which is helpful. If you can't do that, at least change the RDP port and apply something like pfBlocker (allows you to blacklist countries and things) which is better than nothing. Lately, a lot of attacks coming from my country too though. Make sure you have challenging passwords and maybe disable/rename default administrator accounts.
-
To be honest I know for sure that windows does not LOCK out the administrator account. That would be really really bad idea.. Since anyone on the network could lock out the admin from admin the machines ;)
Sure you can lock out account billy, but out of the box windows is not going to allow locking of the built in admin account.
There is NEVER a reason that rdp should be exposed to the public internet - NEVER!!! Now, if you need say some consultant to get into some server. Sure in a pinch you could forward the traffic in. But It should be done then when he is going to connect, and the forward should be locked down to the source IP he will be coming from.
Even then - better choice would to let him vpn in, etc.. Or you could use some support software from your machine, and then let him in to your server via your rdp session. So you can watch what he is doing, etc.
-
We don't use microsoft products for our email server. (other than its a product running on Windows server machine.)
We don't use webmail and setup usernames and (strong) passwords up for each of the desktops and in a case or two for their smartphones. Users never know their password for email. We also use pfblocker to control whats coming from areas which we have no business or desire to hear from.
The email server logs everything. We've never seen anyone actually try to hack into a username (other than "abuse") that we use here but you can't count on that. Its not if.. but when.
But I think the point of this thread is- We have enough with services that have to live with an open port or two in order to do their job. Don't open yourself up to more heartburn by opening up services to the world which can be easily set up on VPN's or other methods such as not allowing outside access at all. Or firewall rules allowing a set source.
-
Hello,
On the eve of new year my entire network seems to be hacked.
To patch up things temporarily I placed new firewall ( just acting as load balancer and vpn server) before my previous firewall.
So my current network is
isp2 –----
|
isp1----- load balancer ---- my old firewall ---- switches ----- Win Server, Desktops, APs.rdp and teamviewer are off WIn Server.....
The LAN network of load balancer is 192.168.5.0/24 . The WAN ip of old firewall is 192.168.5.2.
Suddenly, the arp of load balancer shows 192.168.5.2 allotted to a new mac id de:ad:f9:xx:xx:xx. And the old firewall doesn't get the WAN IP and my entire LAN doesn't get internet access. This is happening every 20-25 min. There are no vendor for mac id de:ad:f9.
I think some one internally intentionally or unintensionally spoofing a mac id and taking up firewall wan ip.
What should I do ? Meanwhile I have taken down my entire LAN network and connecting each device one by one to find the culprit. A tedious job but No other option.
Please Help me and save my NEW Year.....
Regards,
Ashima -
It's definitely intentional. The MAC address starts with the word "dead". You can't "accidentally" change you MAC address.
Since you have no idea where this MAC address is coming from, your local network is physically unsecure. You should either use your switch to figure out which port the address is coming from or start disconnecting devices while attempting to ARP ping or something.
-
Its a locally admin mac, you can tell since de the 2nd significant bit is 1, so that is locally admin mac address.
What is between your LB and your firewall? I would take it just a wire and or a switch where you would of setup this 192.168.5 as a transit network - there should be no other devices on this network other than possible other routers.. You show –- so take it just a wire between your LB and your firewall?
-
@johnpoz there is just a wired connection between LB and the Firewall…..There is no other device between them.
-
We literally removed almost all devices one by one almost 60 off them and reconnected them one by one. There are 3 more win 7 systems, win server, tally server and an AP which are yet be connected and tested. We shall continue the test tomorrow.
Meanwhile I have disabled DHCP in LB and given firewall a fixed ip.
What I don't understand how can a device connected to firewall LAN get a dhcp response from LB (dhcp was initially enabled in LB).
Any help please.
-
"There is no other device between them."
Then why are you bother to check all the other devices on your network??? mac address are layer 2.. They do not go beyond your layer 2 connection. If all you have is a wire between your LB and Pfsense - then your issue is between those 2 devices - PERIOD!!!
-
Hello,
A very Happy New Year to everyone.
Yes, There is just a wire between LB and firewall. That is what was surprising me. The rogue mac id de:ad:b9:80:87:90 was in between getting the wan IP of the firewall, as a result there was no internet for the firewall clients.
I have disabled dhcp in LB and given firewall a static IP. This seems to have solved the issue.
I am also running Xarp ( a program to detect arp spoofing) in my lan. In between I get alerts
169.254.50.80 de:ad:b9:80:87:90
The same mac id but now it's not getting the ip address…. so the net is working fine. I guess someone has done mac spoofing and now running arp snoofing.....
Any clue ?
BTW I had enabled virtual Ip (IP alias) in my firewall if that has some thing to do with the case.
-
169.254 is link local address for ipv4.. Interface set for dhcp that does not get response from dhcp will assign itself a random address with 169.254 as well APIPA..
https://en.wikipedia.org/wiki/Link-local_address
