As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
My father's office's server is under constant attack, suggestions?
TheSonicRetard
Registered User regular
Registered User regular
My dad runs a local business server from his office, and he has Bullgaurd anti-virus to help him detect various spyware. Recently, bullguard has begun detecting hundreds of "attacks" each day. He uses remote desktop so he can access his server from home and he's getting very paranoid about what these attacks could be.
Here is a screencap of one such notice:
Doing a reverse-DNS look up of these "attacker IPs" (each attack has a different IP) reveals the following info:
the vast, vast majority of these "attacks" are reported to either come from China or Romania.
My dad called Bullguard and asked what they suggested, and they suggested he unticked a box in the settings labeled "block unsolicited ARP packets." He did for a bit, but then got paranoid and rechecked it. Additionally, he went through and checked every box in the "attack detect list" without really knowing what they did. He said that once he checked everything on the list, the number of attacks per day increased from about 4 or 5 to well over 100. Here's a list of options he has checked:
My dad is very sensitive about the information on his server. if it got out, it could potentially ruin his business. I guess my questions are, first, what exactly are "unsolicited ARP packets," and why did they suggest unchecking the box to detect them. Second, are these legitimate attacks? Should he be concerned? How can I stop them? And finally, what would you guys suggest to ease his mind. He has a router in his office so I can fiddle with the firewall if necessary.
I'd really appreciate any help.
Here is a screencap of one such notice:
Doing a reverse-DNS look up of these "attacker IPs" (each attack has a different IP) reveals the following info:
the vast, vast majority of these "attacks" are reported to either come from China or Romania.
My dad called Bullguard and asked what they suggested, and they suggested he unticked a box in the settings labeled "block unsolicited ARP packets." He did for a bit, but then got paranoid and rechecked it. Additionally, he went through and checked every box in the "attack detect list" without really knowing what they did. He said that once he checked everything on the list, the number of attacks per day increased from about 4 or 5 to well over 100. Here's a list of options he has checked:
My dad is very sensitive about the information on his server. if it got out, it could potentially ruin his business. I guess my questions are, first, what exactly are "unsolicited ARP packets," and why did they suggest unchecking the box to detect them. Second, are these legitimate attacks? Should he be concerned? How can I stop them? And finally, what would you guys suggest to ease his mind. He has a router in his office so I can fiddle with the firewall if necessary.
I'd really appreciate any help.
TheSonicRetard on
0
Posts
Basically it sits as a buffer between his important stuff and the internet. He can set up port forwarding or maybe get a VPN solution so that he can get to his server, but no one else can. Needs to be limited to only accept connection from trusted IP's.
In the purest sense, as long as his system is up to date on all the newest patches, these "attacks" aren't all that serious. They're mostly probing for vulnerabilities and he'd probably be fine. But if securing the data on that server really is "business critical", then he needs a firewall protecting it, and not one of those shitty software firewalls you can install in Windows. Let people hack the firewall, he can afford to lose that for a day or so.
NintendoID: Nailbunny 3DS: 3909-8796-4685
As for the ARP (http://en.wikipedia.org/wiki/ARP_spoofing) the firewall can keep blocking it.
Can't you just black list those IPs and block all traffic from them? Eventually they will give up. It looks like they are just scanning for stuff.
PSNID: DigitalX86
Nintendo ID: digitalsyn
3DS Friend Code: 5300 - 9726 - 6963
Steam: http://steamcommunity.com/id/D1G1T4LSYN/
On another board someone suggested either buying one that costs about $1000, or building one using this: http://www.pfsense.com/
I'm leaning towards the second option. All I'd need is a 100 mhz PC with 128 mb of ram. A question, though; he is wirelessly connected to his router. I was telling him it'd be much easier and quicker to just run a cable to the router (which is in another room) but assuming he doesn't want to budge, can I do this with a wireless connection? Like put in one wired NIC card on his server and the firewall box, and a wireless card on the firewall box?
You could do that, but you would typically place the firewall between the modem and the router. If these devices are combined into a single device, then that will likely to be your only option. At that point, you are only protecting the server, not your entire network.
NintendoID: Nailbunny 3DS: 3909-8796-4685
Well someone on another site linked me to this: http://www.parkansky.com/china.htm
it's a method for blocking all connections from a specific country.
But yeah, I'm just gonna build the firewall. I got multiple boards suggesting it and it sounds like something I really should have set up in the first place. I figured the router alone was enough, but clearly I was wrong.
This is true, but it looks to me its just a bot network doing some scanning for open ports. Happens all the time, and a 24 hour block of the IP block usually quells the scans.
PSNID: DigitalX86
Nintendo ID: digitalsyn
3DS Friend Code: 5300 - 9726 - 6963
Steam: http://steamcommunity.com/id/D1G1T4LSYN/
I use monowall as my firewall/router
http://m0n0.ch/wall/
It's in line with pfsense, but I prefer the GUI layout. Both are equally adequate as a firewall though.
PSNID: DigitalX86
Nintendo ID: digitalsyn
3DS Friend Code: 5300 - 9726 - 6963
Steam: http://steamcommunity.com/id/D1G1T4LSYN/
Does monowall have a liveCD edition? I was looking to use pfsense and run it off of a USB drive to save on a HDD
EDIT: Oh sweet it does, I might use this one instead because of the GUI. thanks!
It does -http://m0n0.ch/wall/download.php?file=cdrom-1.32.iso
Basically you can have it save the config to the USB drive and use that for reboots.
Also PFsense is based off monowall, so they each have something a little different.
PSNID: DigitalX86
Nintendo ID: digitalsyn
3DS Friend Code: 5300 - 9726 - 6963
Steam: http://steamcommunity.com/id/D1G1T4LSYN/
Actually most of the stuff in that list is really, really common so I don't think getting notified about it is really helping any as long as it is being blocked. And trying to do IP lookups is pointless cause you'll wonder why half the internet is attacking you.
But I second the recommendation for a proper hardware firewall if the server is that critical.
Basically this.
The internet is a wild place, and these kind of scans and attacks are common.
There are botnets, worms, viruses and scripts constantly trying to connect to any IP address they can find.
The good news is that most of these attacks are untargeted and unlikely to actually exploit any vulnerability your dad's server might have. The bad news is that they only need to be lucky once, so eventually they might get in.
While a software firewall is a first solution, in my opinion it is inadequate, get a real hardware firewall.
I recommend anything by Cisco, but they have an extensive, hard to follow catalog.
Searching for "Cisco for small businesses" might get you started (Look for the "I want to....secure my business" tab.
Or give them a call, their number should be on the website.
While I'm sure you can figure it out, and correctly install any hardware firewall they deliver, it might give your dad some peace of mind that a professional was involved to give him the best option.
For the telephone / in person consulting, I don't know what (if anything) they will charge, or what they'll recommend, so it's hard for me to say what to be wary of. (Obviously, don't buy the hunderd-thousand dollar super server cluster option)
This page is their "Secure my small business page" that might help.
I already mentioned this, but Cisco solutions range from very expensive, to pretty cheap, and without knowing what your dad needs, I can't really suggest anything.
Also, there are many other companies that can do this, just make sure you have a something that is marketed towards businesses. routers + firewalls for residentials or home use are not robust enough. (I personally don't even think they're robust enough for home use, but opinions differ on that one)
It's very unlikely anyone would be interested in his data (unless it's his banking or CC info, personal identity info, or a mountain of porn) and are more likely to be just interested in using his internet connection.
Putting up a real firewall between his LAN and the Internet and publishing only the services needed should reduce his LAN's attack surface (concentrating it on the external interface of the firewall which is where you want it) so he'll get fewer of these notifications, unless people are stealing his wifi and they are the source of the activity.
If he's getting these firewall notifications on the RDP host, which is behind a basic wifi router, I'd wonder how the RDP service is being published, or how traffic is being shaped to that host. Cause even a cheap wifi router should be able to publish a service on a host while still screening it from port scan-type activity.
If it's anything like the few places I've seen before a real IT guy sets up business with them, it's probably plugged directly into the main server, and that server uses ICS or some other proxy bullshit forcing it to act as a router. I think Windows2000 server was notoriously used for this a lot back in the day.
Maybe get a used PIX 506e or something like that on Ebay. They're a bit under $100 right now.
While you're at it, you can also block Russia and any country that used to be part of the USSR.
CUZ THERE'S SOMETHING IN THE MIDDLE AND IT'S GIVING ME A RASH
My dad does a lot of contracting for the City of Houston so he actually does do business with China and Russia and several other foreign countries. I actually posted a method for blocking entire countries, but he can't really do that.
Anywho, I built the firewall and things are looking good so far. Thanks guys.