network security Network Security

[G_K]

is there an software that can lock all devices if someone has broken into a network, or the network is under attack, as mine is attacked, sometimes, and it has been breached before, some devices had files missing and the mouse moving on its own, had to do a full system wipe, so i would be good to have a piece of software that locks or disconnects all devices if the network gets attacks or at lest a bad attack that could take control of devices 

[Electronics Wizardy]

You can setup something with a honeypot and a lot of scripts, but for a home network, that isn't really easy, as home devices aren't made to be centrally managed.

 

Also how do you define a attack, pretty hard for computers to be good at detecting these.

[G_K]

3 minutes ago, Electronics Wizardy said:

You can setup something with a honeypot and a lot of scripts, but for a home network, that isn't really easy, as home devices aren't made to be centrally managed.

 

Also how do you define a attack, pretty hard for computers to be good at detecting these.

Trendmicro for security and IPS, and Udmpro IPS for router and blocking attacks

[Catsrules]

20 minutes ago, Uknown0002 said:

is there an software that can lock all devices if someone has broken into a network, or the network is under attack, as mine is attacked, sometimes, and it has been breached before, some devices had files missing and the mouse moving on its own, had to do a full system wipe, so i would be good to have a piece of software that locks or disconnects all devices if the network gets attacks or at lest a bad attack that could take control of devices 

If a devices can detect the attack like an IPS system then it can just block the attack. There isn't a need to disconnect your computer as the attack got blocked.   I don't see a real advantage of auto disconnecting your computer over the attack that got blocked. If I did that my computer would be disconnecting all of the time. There are a bunch of bots and crap hitting servers and networks all of the time. 

 

If the attack didn't get blocked then it obviously wasn't detected so how exactly is your computer going to know it is being attacked.

 

 

 

 

 

[Catsrules]

I haven't looked into these but I have seen adverts about very high end security appliances that monitors and stores network traffic and it will try and figure out network patterns. It is detects something abnormal it will alert you or do something depending on the abnormality. I think it was something from FireEye but I was awhile ago.

 

But you need like Fortune 500 money to get it

 

If you want to play around for free you could look at security onion. (You basically need to be a network security background to really use it.)

 

https://securityonionsolutions.com/software

 

You also need a beefy server with multiple nics and some good size storage as well as a manage switch with port mirroring.

[Falcon1986]

32 minutes ago, Uknown0002 said:

Trendmicro for security and IPS, and Udmpro IPS for router and blocking attacks

Well, you already have a UDM-Pro, which has a built-in intrusion detection and prevention system through the UniFi Controller. It’s not the most comprehensive of IDS/IPS, but it’s something that can be activated with what you have.

 

I’ve heard about Suricata under pfSense, which you can also check out. Of course, you’ll need hardware to run pfSense in the first place for this to happen though.

 

1 hour ago, Uknown0002 said:

is there an software that can lock all devices if someone has broken into a network, or the network is under attack, as mine is attacked, sometimes, and it has been breached before, some devices had files missing and the mouse moving on its own, had to do a full system wipe, so i would be good to have a piece of software that locks or disconnects all devices if the network gets attacks or at lest a bad attack that could take control of devices 

What kind of network is this? Doesn’t sound like a home environment. Keep in mind that malicious activity can be initiated by compromised software that is intentionally/unintentionally downloaded. Also, are you sure there isn’t any legitamate use of remote PC control software when you observe these strange activities? And why is your network such an attractive target?

[G_K]

1 hour ago, Falcon1986 said:

Well, you already have a UDM-Pro, which has a built-in intrusion detection and prevention system through the UniFi Controller. It’s not the most comprehensive of IDS/IPS, but it’s something that can be activated with what you have.

 

I’ve heard about Suricata under pfSense, which you can also check out. Of course, you’ll need hardware to run pfSense in the first place for this to happen though.

 

What kind of network is this? Doesn’t sound like a home environment. Keep in mind that malicious activity can be initiated by compromised software that is intentionally/unintentionally downloaded. Also, are you sure there isn’t any legitamate use of remote PC control software when you observe these strange activities? And why is your network such an attractive target?

''observe these strange activities?'' = yep, i have wireshark and glasswire monitoring 247 -365 and it goes crazy when something weird happens to a device

 

''And why is your network such an attractive target?'' = well if i knew that i would have eliminated the attractive object in my network or on my devices to stop the attacks 

[Electronics Wizardy]

14 minutes ago, Uknown0002 said:

''observe these strange activities?'' = yep, i have wireshark and glasswire monitoring 247 -365 and it goes crazy when something weird happens to a device

 

''And why is your network such an attractive target?'' = well if i knew that i would have eliminated the attractive object in my network or on my devices to stop the attacks 

What type of attacks are you getting? its expected that you get things like port scans and ssh/rdp login attempts. What ports do you have open publically?

 

Normally these aren't a thread, so don't worry.

[G_K]

1 hour ago, Electronics Wizardy said:

What type of attacks are you getting? its expected that you get things like port scans and ssh/rdp login attempts. What ports do you have open publically?

 

Normally these aren't a thread, so don't worry.

1 - 5 ports open according to my endpoint on UDM and on the threats - p2p - worm - web server - unknown - compromised - scan - trojan - dshield - CIarmy - tor - backdoor ect

[Electronics Wizardy]

33 minutes ago, Uknown0002 said:

1 - 5 ports open according to my endpoint on UDM and on the threats - p2p - worm - web server - unknown - compromised - scan - trojan - dshield - CIarmy - tor - backdoor ect

What ports did you open? normally you have to manually open ports on a firewall, otherwise they can't be access.

 

A lot of those are false positivies, you really have to look at the alert to know if its a threat.

[Catsrules]

On 2/10/2021 at 8:59 PM, Falcon1986 said:

I’ve heard about Suricata under pfSense, which you can also check out. Of course, you’ll need hardware to run pfSense in the first place for this to happen though.

 

 How have I not heard of this before, I am running pfSense at a few of my locations I manage. Welp I guess I know what I am going to be doing.

[G_K]

On 2/11/2021 at 7:28 AM, Electronics Wizardy said:

What ports did you open? normally you have to manually open ports on a firewall, otherwise they can't be access.

 

A lot of those are false positivies, you really have to look at the alert to know if its a threat.

 

 

There are alot of all of these titles

 

ET TROJAN Self-Signed Cert Observed in Various Zbot Strains

ET SCAN Possible Nmap User-Agent Observed

 

ET EXPLOIT Netgear DGN Remote Command Execution

ET WORM TheMoon.linksys.router 2

 

ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution

 

ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)

ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)

ET COMPROMISED Known Compromised or Hostile Host Traffic group 123

ET COMPROMISED Known Compromised or Hostile Host Traffic group 109

ET COMPROMISED Known Compromised or Hostile Host Traffic group 99

there's a lot of these with different group numbers and there are more then this but i can't go through all 10,000+ threats

 

 

 

 

[Electronics Wizardy]

2 hours ago, Uknown0002 said:

 

 

There are alot of all of these titles

 

ET TROJAN Self-Signed Cert Observed in Various Zbot Strains

ET SCAN Possible Nmap User-Agent Observed

 

ET EXPLOIT Netgear DGN Remote Command Execution

ET WORM TheMoon.linksys.router 2

 

ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution

 

ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)

ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)

ET COMPROMISED Known Compromised or Hostile Host Traffic group 123

ET COMPROMISED Known Compromised or Hostile Host Traffic group 109

ET COMPROMISED Known Compromised or Hostile Host Traffic group 99

there's a lot of these with different group numbers and there are more then this but i can't go through all 10,000+ threats

 

 

 

 

Gonna ask again, what ports do you have open publicly?

 

That seems like your getting the random attacks that all ips get. They won't affect you unless you let it reach a vunrealble device. I don't se a reason to touch your network here.

[G_K]

20 hours ago, Electronics Wizardy said:

Gonna ask again, what ports do you have open publicly?

 

That seems like your getting the random attacks that all ips get. They won't affect you unless you let it reach a vunrealble device. I don't se a reason to touch your network here.

Endpoints with unifi - open ports 1-2-3-4-5

[Electronics Wizardy]

Just now, Uknown0002 said:

Endpoints with unifi - open ports 1-2-3-4-5

What network ports do you have open. Like port 80 for http. 

 

If you don't have any public ports open, those attacks really can't get into anything as the firewall will stop them all. There are other ways to get in, like phishing attacks though.

[Darren]

What you're asking for is heading towards SME/Full Enterprise grade solutions. Next-Gen Firewalls such as FortiGate/Palo Altos can do this but it relies on a few things such as significant network segementation i.e. if one of your devices is compromised, there's no stopping it moving laterally if your whole network is in one trust zone or layer 2 domain.