Anydesk does not work
-
Hi all,
In my lab I have a netgate witch 2 vlan:
vlan 1: client
vlan 2: serverI have installed anydesk in the client and in the server.
From the client I cannot reach the server and I cannot reach any asset outside the network. Anydesk still show the message "Connecting to the AnyDesk network..."
From outside I cannot reach the server although I made the NAT port forwarding. All the other services in the server are correctly working.In the netgate snot is installed but stopped.
Thanks.
-
Can we see screenshots of the firewall and NAT rules you have in place?
Do you see traffic blocked in the firewall logs?
Steve
-
@stephenw10
Yes, there are many IPs blocked.
138.199.36.0/24
136.243.39.0/24And many others.
I would like to let snort ignore all the IPs related to AnyDesk.
-
Are those inbound or outbound? On which interface?
Screenshots are much easier to convey all the information.
Steve
-
@stephenw10
172.16.10.15 and 172.16.20.243 are my client/server in lab.
Almost all the destination address are anydesk IPs.
-
Ok, so you can see Snort has blocked most of that traffic.
You should clear the clear the Snort Blocked Hosts list and retest with Snort still disabled.
If that works you need to correct your network definitions to prevent it blocking internal hosts.
Steve
-
@stephenw10
Yes, It works. But to restart snort and put all anydesk IPs in Pass List, I have to get all these IPs. Is there a list of these IPs available? -
There might be a list of IPs they use. Possible an ASN or several.
However I would be looking at what us triggering the alert. It's probably a false positive and you can suppress the rule.
Steve
-
Look on the ALERTS tab in Snort and see which rule (or rules) is firing and resulting in the block. You can then decide if the rule trigger is a false positive. If you determine it is, then disable that rule.
I have no idea of your skill or experience level with administering an IDS/IPS, but frequently users think they can just go through and enable everything. That's not the case. Enabling too much results in lots of false positive blocks. Evaluate the actual rule triggering the block and decide if it is really needed. There are a lot of "info only" type rules that folks enable for blocking when they really should not (the ET-INFO is a prime example of such a category). Make sure you have not done that, or if you have, you will need to disable quite a few of those rules unless you use Inline IPS Mode and set them to alert-only.
-
@bmeeks said in Anydesk does not work:
but frequently users think they can just go through and enable everything
haha - yeah no clue to what any of the rules mean - but clearly the more rules I have the more secure I will be.. And lets just start of in blocking mode ;)
