Access rules full up - now what? 1

[1DMF]

Hi,

We use a linksys RV082 router, it's worked fine for many years, however, I have just gone to add another IP to the access rules for trying to hack us, and it is saying

max 50 entries, cannot add rule

So now what? How am I meant to ban further IP addresses from trying to hack us?

And if I've got to remove an IP that has tried to hack us in the past just to add a new IP address for a current attack, what's the point of the access rules, as it only seems to be a temporary solution.

Do I need a new firewall, that doesn't have a limit on access rules, or do need to look at something else to block attempted hacking?

All advice is appreciated.

1DMF



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[vodkadrinker]

You could look at a dedicated Linux firewall server, fairly cheap to install and probably alot more options for bolcking out attacks.

 

[1DMF]

That's not quite what I was looking for, apart from the fact we run a windows platform.

I was hoping the firewall rules number could be changed, or even a firmware update might have upgraded the amount of rules allowed.

I ended up going round in circles on their support site trying to find an answer or get support, I emailed the website, but they just sent me back to the support forum, where I couldn't work out how to post a thread.

In the end I gave up, and will advise we get a new hardware firewall with better rules capabilities that isn't Cisco!

Cheers,
1DMF

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[smah]

I'm quite surprised that you need that many rules since the default rules are set to block all incoming connections. Have you opened many services? What sort of 'hacks attempts' are you referring to? Many common probes of web servers & mail servers are comimg from zombie computers, many of which are users with dynamic IP addresses. Trying to block every offending IP address will be an insurmountable task.

 

[1DMF]

most are RDP attempts. but we have a few ports open, otherwise the OWA/OMA/RDP/SMTP wouldn't work.

I've been after a sonic wall for a while, perhaps this is my chance to get my hands on one.

What can you do, if you need remote access to the server, and cannot guarantee genuine access is from a specific range of IP's , what else can you do but ban the IP's as the attacks occur?

As Administrator cannot be locked out of the system from multiple failed logon attempts, how do you combat this?

Unless of course I misunderstand something here, so all input is appreciated.



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[vodkadrinker]

If it was a dedicated linux firewall it doesn't matter how you run the rest of your network just look as it as intelligent router. Alot more options to block and slow down attacks without having to block out hundreds of IP addresses, which I think is fighting a loosing battle.

 

[1DMF]

I appreciate it's an uphill battle, but I can only work with what I have.

If there is no funding for additional PC hardware or software, nor training in its use, am I really out of options?

I may be lucky in getting finance for a new firewall router, could I get a better solution and training for a gateway server (inteligent router) for the price of a cheap sonic wall?

I guess the cheapest solution is to delete all rules and start again as the attacts happen, but that's not really a solution is it.

We have SBS 2003, which has ISA but i'm reluctant to use it as I could screw things up if i don't configure it right, I have no experience in using ISA, and even MS removed ISA from SBS 2008 as even they admit that the 'edge' computer should not be the domain /file & print server!

I'm not sure implementing ISA in my environment is a good idea.

When you are running with a single box SBS live system with no test system or backup server, switching on things that can block access could take out our entire company's IT infrastructure, including the extranet used by over 200 member companies.

Suggestions welcome.


"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[kjv1611]

If you're really stuck on a budget, you do realize that you can turn practically any computer into a Linux firewall, right? And much of the software available for such is free. So if you have an extra machine laying around somewhere, and know how to download and burn an ISO image file, and know at least some about Linux, you could do that on your own (with approval of course). It may only require your time. The only extra piece you might need would be a couple of gigabit LAN cards to make sure they can handle the load... then feed that PC into your current router/switch, and split out from there.

But honestly, if you're talking about affecting a couple hundred other businesses if it messes up, and talking about you have a fairly large infrastructure, then you need some help in this one - you don't want to mess up. If those with the purse strings don't want to cough up the funds for that help, you need a signed statement saying that they are willing to accept the consequences should your efforts fail.

--

"If to err is human, then I must be some kind of human!" -Me

 

[vodkadrinker]

Always a difficult one to get people to spend money on kit, the thing you have to push is how much it would cost if someone did infiltrate your network.

 

[NetworkTek]

As a temporary solution you could change the listening port of rdp on your server to some other port. Then create a forward in your firewall. However a port scan would reveal it. You need a firewall like a Sonicwall so that you can limit rdp to a certain ip block.

Network+ Inet+ MCP MCSA 2k3

 

[smah]

Have you considered using the VPN capabilities? You can allow Remote Desktop connections though the VPN without opening the RD port (3389) to the internet.

 

[1DMF]

If you're really stuck on a budget, you do realize that you can turn practically any computer into a Linux firewall, right?

Yes of course, and I do have a crappy p4 kicking around, but that isn't the main issue.

you're advocating I use software which is free and has no support, nor do I have money for additional support , it would also be based on an OS I don't know how to use, along with other software I have no experience or training in.

addressing those issues is far more important (and expensive) than a £200.00 crappy machine.

You need a firewall like a Sonicwall so that you can limit rdp to a certain ip block.

As I mentioned, I cannot guarantee the IP ranges, as it's for remote use from home users and other staff using mobile phone WiFi and alike, it's not guaranteed they are on a fixed IP.

Have you considered using the VPN capabilities? You can allow Remote Desktop connections though the VPN without opening the RD port (3389) to the internet.

Really? Am I being a complete donkey here?

We already have the server set up for VPN via SSL certification, do I simply close the RDP ports, connect via VPN and use the local IP or server name once the VPN is connected?

That's a rhetorical statement, just tried it and it works fine, what a muppet i've been!, that's what happens when you listen to incompetent support companies, thinking they are setting your system up correctly and don't understand fully what they are doing at the time!

OK other 3rd party required remote access will have to be set up to connect to the VPN first, but that's no big deal.

I knew coming to talk to you guys would help.

OK that's UDP/TCP 3389 closed!

The ports now open for TCP only is 25,80,443,1723

25 is locked down to specific email service providers IP.

So I think i've got it as tight as I can, what you guys think?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[smah]

Sounds good. 1723 might not even need to be open if you have pptp pass through enabled. Test it though, I haven't tried a using an internal server as the vpn endpoint.

 

[1DMF]

Seems like the firewall rules overide any VPN pass through settings, the router is set as

IPSec Pass Through : Enabled
PPTP Pass Through : Enabled
L2TP Pass Through : Enabled

But closing 1723 stops the remote user from being able to connect via VPN.



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[smah]

I wondered if that might happen when using a seperate internal VPN server. If you use the built-in VPN servers that is not an issue.

 

[1DMF]

oh well, it's much better than it was.

Plus I've set the RRAS to only allow VPN via SSL certification and not username/password. So hacking via random password bot is not possible.

I've also disbaled IIS for the certificate services, as those who need certificates get them on an adhoc basis, where I allow certificate services, walk them through the proces, then disable again.

So thanks for your help, we have a much more secure network now.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts

 

[smah]

PS, running RD though the VPN tunnel allows you to connect to any internal machine by it's internal [name or] ip address, whereas when you were port forwarding, you could only for 3389 to 1 particular ip address.

 

[1DMF]

Yeah I know, the penny dropped when I made this comment

Really? Am I being a complete donkey here?

I realised I had access to the entire LAN , not just the server


Again thanks for the help.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts