DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Syslog data

  • nairnmonster
  • Topic Author
  • User
  • User
More
11 May 2020 18:03 #1 by nairnmonster
Syslog data was created by nairnmonster
Hi there,

I have just setup Syslog, and on the users access there is a large number of connections from "Virtual Server: 138.xx.xx.xx:59764 - > 192.xx.xx.xx:443 (TCP). These are from a number of other external IP Addresses also going to the 3389 port for RDP. I have a few VM's running all with external RDP access behind a different public port number.

But bascially I don't know if this is malicious activiting or standard from system communicating with my network. I don't know how to look into this further.

Any help anyone can give would be amazing, if there is anything else I can give for details please let me know?

Thanks

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
11 May 2020 22:04 #2 by hornbyp
Replied by hornbyp on topic Re: Syslog data

nairnmonster wrote:
I have just setup Syslog, and on the users access there is a large number of connections from "Virtual Server: 138.xx.xx.xx:59764 - > 192.xx.xx.xx:443 (TCP). These are from a number of other external IP Addresses also going to the 3389 port for RDP. I have a few VM's running all with external RDP access behind a different public port number.

But bascially I don't know if this is malicious activiting or standard from system communicating with my network.



Start by finding out who these external IP addresses belong to. Use an online tool, such as : https://dnslytics.com/ . Traffic from the outside world can only pass through a NAT Router, if a 'port-mapping' exists. This can be either manually configured, or potentially, by Upnp. (Data in response to a query from inside your LAN are automatically allowed through)

Do you (knowingly) have a web server, or something similar running on 192.xx.xx.xx, that's expecting HTTPS connections from the outside world? If so, is 138.xx.xx.xx one of the external addresses you would expect? If the answers to these questions are "No", then you have to find and de-configure the culprits - including removing the Port-mapping. Syslog can give you more information, if you configure any Firewall rules to also generate Syslog messages [there's a tick box]. This includes the "Default Rule".

Moving on the RDP. Changing it to use another Port no. has probably not enhanced its security to any measurable degree. Would be attackers, get their information from 'services' like https://shodan.io , rather than probing individual systems themselves. (Having found the alternate port open, during one of its regular scans, a service like Shodan will categorise it, based on the responses they get from it.)

You should not (IMO) allow unfettered access via RDP from the Internet. See, for example here: https://www.darkreading.com/endpoint/the-risks-of-remote-desktop-access-are-far-from-remote/a/d-id/1331820

The quickest way to protect it, is to require remote users to connect via a VPN connection first.

Please Log in or Create an account to join the conversation.

  • nairnmonster
  • Topic Author
  • User
  • User
More
11 May 2020 22:49 #3 by nairnmonster
Replied by nairnmonster on topic Re: Syslog data
Start by finding out who these external IP addresses belong to. Use an online tool, such as : https://dnslytics.com/ . Traffic from the outside world can only pass through a NAT Router, if a 'port-mapping' exists. This can be either manually configured, or potentially, by Upnp. (Data in response to a query from inside your LAN are automatically allowed through)

Do you (knowingly) have a web server, or something similar running on 192.xx.xx.xx, that's expecting HTTPS connections from the outside world? If so, is 138.xx.xx.xx one of the external addresses you would expect? If the answers to these questions are "No", then you have to find and de-configure the culprits - including removing the Port-mapping. Syslog can give you more information, if you configure any Firewall rules to also generate Syslog messages [there's a tick box]. This includes the "Default Rule".

Moving on the RDP. Changing it to use another Port no. has probably not enhanced its security to any measurable degree. Would be attackers, get their information from 'services' like https://shodan.io , rather than probing individual systems themselves. (Having found the alternate port open, during one of its regular scans, a service like Shodan will categorise it, based on the responses they get from it.)

You should not (IMO) allow unfettered access via RDP from the Internet. See, for example here: https://www.darkreading.com/endpoint/the-risks-of-remote-desktop-access-are-far-from-remote/a/d-id/1331820

The quickest way to protect it, is to require remote users to connect via a VPN connection first.
[/quote]


Hi hornbyp,

Thanks so much for taking the time to reply.

I'm sorry, I said public port but I meant I have a private port number infront of the public. Does that still not make the security any better?

https://www.draytek.com/support/knowledge-base/5749

I have a Home Server running that is only to give a host name that links to my dynamic IPS IP. Maybe it could be that?
I never knew of Shodan before. I always thought having a different public IP to the actual was a good starting place. I tried that Shodan using my external IP but it never showed any of my public ports, do I need to pay for the service to see what hackers could see?

Ok, I will go back and see where these IP's are located.

Is there any other software or settings you would recommend. I am just a home user, that would like external remote access to my server. But security is not where my biggest knowledge lies.

Thanks again for your help and time.

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
12 May 2020 00:04 #4 by hornbyp
Replied by hornbyp on topic Re: Syslog data

nairnmonster wrote:
I'm sorry, I said public port but I meant I have a private port number infront of the public. Does that still not make the security any better?



It's called "Security through obscurity" and was all the rage in the 1980's. However, time marches on!

https://www.draytek.com/support/knowledge-base/5749


That shows the technicalities of making RDP available via the Internet. Unfortunately, in the five years since it was written, RDP has been found to be insufficiently secure to expose directly to the hostile Internet. (In-a-nutshell it's a very popular protocol, so it's a very popular target for the bad guys :cry: )


I never knew of Shodan before. I always thought having a different public IP to the actual was a good starting place. I tried that Shodan using my external IP but it never showed any of my public ports, do I need to pay for the service to see what hackers could see?


I don't know - I've never delved too deeply into it. It made me feel quite ill when I first came across it, which I only did because I noticed one of its 'probes' come visiting...
Suddenly, I was no longer just one of millions of random systems, that no one would chance upon ... I was neatly catalogued for all to see!
(I mentioned Shodan.io on another forum and a user there found all his 'security' cameras logged. They were using default passwords :cry: and that fact was noted too.)


Is there any other software or settings you would recommend. I am just a home user, that would like external remote access to my server.



IMHO one of the best features of the Vigor series is the built-in VPN server - so use that. If you want to run public Web/DNS/Mail servers etc, you have no choice but to open them up to the internet - though you can firewall by Country etc. For everything else, insist that the user logs-in via the VPN. (As an added benefit, you can then use your VPN with phone/tablet/laptop when out and about, to stay secure on public wifi. It also comes in handy when overseas, in letting you pretend to be still in the UK).

Start simple, with an SSL VPN (and Draytek's SmartVPN client software) and migrate to L2TP/IPsec later. Avoid the temptation to use PPTP, which although easy to configure, was exploited decades ago.

Please Log in or Create an account to join the conversation.

  • nairnmonster
  • Topic Author
  • User
  • User
More
12 May 2020 01:01 #5 by nairnmonster
Replied by nairnmonster on topic Re: Syslog data


I never knew of Shodan before. I always thought having a different public IP to the actual was a good starting place. I tried that Shodan using my external IP but it never showed any of my public ports, do I need to pay for the service to see what hackers could see?
I don't know - I've never delved too deeply into it. It made me feel quite ill when I first came across it, which I only did because I noticed one of its 'probes' come visiting...
Suddenly, I was no longer just one of millions of random systems, that no one would chance upon ... I was neatly catalogued for all to see!
(I mentioned Shodan.io on another forum and a user there found all his 'security' cameras logged. They were using default passwords :cry: and that fact was noted too.)



Wow thats crazy, well my server has been on 24/7 for years now and so far never had any issues until I put that Syslog on today and see loads of what looked like random access attempts from "User access" Also feels a little re-assuring that Shodan has so little data on me. But then again, could be that it's not properly probed me yet?


IMHO one of the best features of the Vigor series is the built-in VPN server - so use that. If you want to run public Web/DNS/Mail servers etc, you have no choice but to open them up to the internet - though you can firewall by Country etc. For everything else, insist that the user logs-in via the VPN. (As an added benefit, you can then use your VPN with phone/tablet/laptop when out and about, to stay secure on public wifi. It also comes in handy when overseas, in letting you pretend to be still in the UK).

Start simple, with an SSL VPN (and Draytek's SmartVPN client software) and migrate to L2TP/IPsec later. Avoid the temptation to use PPTP, which although easy to configure, was exploited decades ago.



I've always seen it but never looked into it. Does that need to be paid for or a free service?

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
12 May 2020 14:41 #6 by hornbyp
Replied by hornbyp on topic Re: Syslog data

nairnmonster wrote:
I've always seen it but never looked into it. Does that need to be paid for or a free service?



It's a free 'service', because you're the one providing it (to yourself) ...
...you could always go Public and market it as 'NairnmonsterVPN' :D

Please Log in or Create an account to join the conversation.