Blocking Incoming Requests

jvelez88

Hi, i have been searching all night how to block incoming requests from certain ips/networks/domains from outside my network and cant find anything that can help me!!

There are a lot of bots, spamers, hackers or whatever trying to guess vnc, ssh and other auths inside my servers, some of them comming from finland, china, brazil, africa and others… I created a floting rule, a wan rule and a lan rule BLOCKING traffic from alias MALICIUS containing diferent IPS like 114.4.68.177, domain like delta.ip-colo.net and others, from ANY PROTOCOL, ANY PORT, ANY an none of them seems to work... If I disable the nat rule related to X service I can see in my server the inmediate end of requests so I know its not been redirected from inside my network (ej infected computer). I even instaled pfBlockerNG to block entire countries and the service wont start.

Im running a freshly upgraded:

2.3.3-RELEASE-p1 (i386)
built on Thu Mar 09 07:17:43 CST 2017
FreeBSD 10.3-RELEASE-p9

Can someone show me the right way to do this?


johnpoz

You do understand out of the box all inbound are blocked?  So you forwarded these ports to something inside.. VNC??  Really - that is not every secure..

If you want to block specific countries from using your port forwards, then block them via pfblocker

jvelez88

Yes man, thats no the issue here,  I need this fordwards, and Im not a bank server or some spy agency that holds universe secrets, but those bots that keep testing passwords on internal servers are a pain in the… So, when I want to block an internal user outgoing requests (ejem whole internet) I just create a rule in the LAN tab that rejects or blocks any any any any from source "my problematic client" destination any.

My logic is that if I want to block the bot from "91.100.59.211.generic-hostname.arrownet.dk" I should be able to create the same rule in the WAN tab blocking 91.100.59.211 (or 211.59.100.91) or maybe arrownet.dk entire domain or entire 211.59.100.0/24 or whatever I can throw in an ALIAS to just drop or reject those IPs networks or whatever from reaching the forwards inside my network. But this doesnt happen!

And the other issue is that effectively I installed pfBlockerNG but it cant start the system process and the only log I get is something like this:

"There were error(s) loading the rules: /tmp/rules.debug:34: cannot load "/var/db/aliastables/pfB_Africa_v4.txt": Invalid argument - The line in question reads [34]: table <pfB_Africa_v4> persist file "/var/db/aliastables/pfB_Africa_v4.txt"
@ 2017-04-30 03:04:33"

I didnt created any weird rule, only selected ALMOST ALL countries in ALL continents but service its still down. There wouldnt be the need for pfBlocker but It was easier to just block entire countries like RUSIA or BRAZIL, or whole AFRICA that may have tons of infected computers and I just really dont have any need to receive requests from those countries, or maybe any other country rather than Mex and EUA, and maybe those that I or my "clients" visit.

So, the problem is not having forwarded the vnc, ssh, https or even age of empires net play (haha), those are intentional, the only thing I need its to drop requests that I KNOW I dont need. And why is this not happening in the more logical way? Its my config wrong or its my pf box being a rebel that does what ever it wants?

ptt

@jvelez88:

So, the problem is not having forwarded the vnc, ssh, https or even age of empires net play (haha), those are intentional, the only thing I need its to drop requests that I KNOW I dont need. And why is this not happening in the more logical way? Its my config wrong or its my pf box being a rebel that does what ever it wants?

Post a screenshot of your WAN FW rules

jvelez88

Here they are…

Thanx...


ptt

Try this

• Use "IPv4"  instead "v4+v6"

• Use "server / gateway / cctv" as destination (instead * )

• Use "server ports / gateway ports / cctv ports" as port  (instead * )

Also make sure that your "Alias" are correct.

"captura de pantalla" that sounds "Spanish" to me…. Sabes que existe una Sección del Foro en Español ;)

johnpoz

Well you rules on your wan would block any access from stuff in your malicious alias before it hits your forward.  So if your using pfblocker to include all the countries you do not like in that alias then they would be blocked.

Keep in mind there is a shitton of noise on the net, if you open ports - especially standard ports to common stuff they will see traffic.  And yes they will try to login with stuff like vnc, ssh, telnet, ftp, rdp, etc.  To be honest if you want to access this stuff remote you should vpn into your network.

What is funny if don't see any hits on your first block - so maybe there is something wrong with your alias?

jvelez88

@ptt:

Try this

• Use "IPv4"  instead "v4+v6"

• Use "server / gateway / cctv" as destination (instead * )

• Use "server ports / gateway ports / cctv ports" as port  (instead * )

Also make sure that your "Alias" are correct.

"captura de pantalla" that sounds "Spanish" to me…. Sabes que existe una Sección del Foro en Español ;)

Thanx, ive just tested this way aaaaand… Nothing changed... Ive actually thought everything was ready cause I havent seen weird traffic, but then it came to me that it was to good to be true so I blocked the IP for another network I control, I went to that network and tried to connect to mine, and... well, there it was, everything available... So, maybe the suggestion about the aliases? Ill attach a scap.

And about the spanish thing, "here in my pueblo is pretty much lo mismo", beeing the south neighbor forces you to use both languages as one... Its just globalization...  :-\


nelioromao

@johnpoz:

You do understand out of the box all inbound are blocked?  So you forwarded these ports to something inside.. VNC??  Really - that is not every secure..

If you want to block specific countries from using your port forwards, then block them via pfblocker

Symple way: Redirect all request from outSide to the  default port from vnc "5900" to a BlackHole
Change the default port from VNC to samething else.

And tested…...

rpotter28

johnpoz gave you the answer in comment #6. Use a vpn. The real bad guys won't resolve to a domain, ip lists can't possibly be up to date by the minute so you will always be left with a hole. I know you are not the CIA, but use a vpn and then you can forget all this other nonsense keeping you busy but still leaving a hole :-)

Richard

johnpoz

The only services open to the public are those that you want open to the public.. If you do not like the noise, and sure its not secure.. VNC for example.. Do not open it to the public - vpn in..

Security through Obscurity is NOT security!!!  Changing the port to something other than its standard might remove some log noise, but it does not in the least change the security issue of it being open to the public in the first place.

kpa

Absolutely seconded. Forget the idea of blocking half of the world just because there might be some bad guys out there somewhere, you'll end up doing an infinite rat race that is completely pointless. Use a VPN instead that offers you a trusted channel that you can yourself control to a very fine degree. VPNs are a bread and butter solution of this modern day and they should be always used where possible.

jvelez88

Well, after reading all your generous comments, yeap, I DO have a VPN for personal use and all the important things, ive actually disabled vnc and all non critic services, so I only can use then via vpn, but, the thing is, actually is this impossible? It should be like an standar feature.

johnpoz

"actually is this impossible? It should be like an standar feature."

what is impossible?