Server Security & securing ports

[Th3Architect]

Hi all,

 

So I need some help with my Windows server 2012 R2, I'm currently using it as a Plex Media server as well as storage server for docs etc, I'm very familiar with the O/S so am OK in that respect my issue is with Port security and access to my server remotely.

 

I'm using the anywhere access that comes with the O/S and my current Router is an Asus DSL-AC68 - I have opened ports 443 (for Anywhere Access) and 32400 (for Plex) and everything works fine, my issue is that someone is managing to get into my network when these ports are open. The firewall in the router is on, I have anti-virus on the server an the windows firewall on yet somehow someone can manage to connect as I've noticed through the router.

 

My question is, how do I have the ports open so as I can use these services but block them from people getting in? I have experience with pfsense also and was contemplating putting one of those in instead of the Asus however my question still stands, if I open the ports to use the services does it make any difference how good my firewall/router is?

 

Thanks for any help you can supply on this, I'm really trying to get to grips with internet/server security.

[tt2468]

They are either using an exploit with anywhere access or plex. Instead of anywhere access, I would set up an Ubuntu VM and install an OpenVPN Server. WAAAAAAAY more secure. Make sure that plex requires authentication from external clients. E.G.: Clients not on the same LAN.

 

EDIT: Remember, a firewall is not going to block malicious attacks on open ports. It is only going to block packets on blocked ports.

[Th3Architect]

They are either using an exploit with anywhere access or plex. Instead of anywhere access, I would set up an Ubuntu VM and install an OpenVPN Server. WAAAAAAAY more secure. Make sure that plex requires authentication from external clients. E.G.: Clients not on the same LAN.

 

EDIT: Remember, a firewall is not going to block malicious attacks on open ports. It is only going to block packets on blocked ports.

Thanks for this Kyle, as far as I'm aware Plex is setup to only allow authenticated users outside the LAN anyway, I know I have to log in to access it outside of my network.

 

Do you have any links as to how to setup an ubuntu VM for OpenVPN or would using the OpenVPN system built into the Asus router suffice?

 

Thanks for the info, much appreciated.

[leadeater]

Are they actually gaining access to the server and/or network or just initiating connections? Seeing an unknown IP address in something like netstat on port 443 doesn't necessarily mean they have access to anything, that's the price you pay of opening such a common port to the internet.

 

You could portforward on the router/firewall from a non standard port to 443, Public IP:8888->Internal:443. This of course means the application/service you are using supports being changed to connect to another port. The advised VPN option is simple and well proven over many years.

 

Unfortunately I haven't used Anywhere Access so can't give any insight to potential security issues. I have used Direct Access, RDS Gateway and RDS Web Access which by the looks Anywhere Access is built on these then I find it hard to believe there are any significant security problems. I am very much a slave to Microsoft technologies now days so my view is rather biased.

 

Personally I would setup an Ubuntu VM for OpenVPN than use the one on the router. Last time I setup OpenVPN on Ubuntu was back in 2010 so I'll let Kyle give advice on that topic.

[Th3Architect]

Are they actually gaining access to the server and/or network or just initiating connections? Seeing an unknown IP address in something like netstat on port 443 doesn't necessarily mean they have access to anything, that's the price you pay of opening such a common port to the internet.

 

Hi leadeater thanks for joining in, I'm pretty sure they are gaining access I first noticed when I was using the original BT HH4 as my router, opening ports was easy and everything just worked, but then I noticed in my DHCP list that there was someone connected using a completely different subnet to the one setup in my router (standard 192.168.1.XXX) it gave the name of his PC (MichaelsMBP) and an IP address something like 10.13.134.10 completely different to the range of addresses my router should be handing out. If your familiar with the BT router you can quickly see who's connected looking at the Home Network tab, this connection didn't show up there it was only on the DHCP list, everytime I deleted the user they were back on in minutes. 

 

This is why I bought the Asus router, using the MAC address filter I blocked his MAC address, no more problems. however now if you look into the connected clients on the Asus (and I have port 443 open) it tells me that my 'servername' has another client connected to it and is assigned another IP address other than the static one I have assigned to my server, I know I'm struggling a little to explain, I will open the ports again and keep watch if it happens again I'll screen shot for you, it's really bothering me that someone could be on my network and the thought of re-installing my server turns my stomach.

 

Thanks again for any help.

[leadeater]

Yea sounds suspicious. I'd change the wireless password and make sure security mode is WPA2. Next time you think someone is accessing your server run a wireshark packet capture and have a look for IP addresses you know are not yours.

 

I've never really trusted consumer wireless routers myself. I use a Draytek Vigor 120 in bridge mode to a FortiWifi 60D, totally overkill for home use but I have other reasons for this setup. You can do something similar for much less cost, Sophos/pfsense. Both Sophos and pfsense have vpn servers in them too so you can use this instead of Ubuntu.

[Th3Architect]

Yea sounds suspicious. I'd change the wireless password and make sure security mode is WPA2. Next time you think someone is accessing your server run a wireshark packet capture and have a look for IP addresses you know are not yours.

 

I've never really trusted consumer wireless routers myself. I use a Draytek Vigor 120 in bridge mode to a FortiWifi 60D, totally overkill for home use but I have other reasons for this setup. You can do something similar for much less cost, Sophos/pfsense. Both Sophos and pfsense have vpn servers in them too so you can use this instead of Ubuntu.

Funny you should say that I have a Vigor 130 sat here at work, might put it to use with a pfsense box. Any ideas where to buy a decent pre-built pfsense, I've built them myself in the past but never been able to get them really small always mini itx style ones, preferably one with built in wifi too.

 

I've also changed the Wifi password multiple times and still happens, I was wondering whether they had something listening in on my end  

 

I've had a play about with Wireshark but don't really understand it, will take another bash at it next time I notice anything strange though.

 

Thanks again

[Gladiateduke]

Do you have any auditing set up on your server? You can make custom views in the event viewer to filter only certain event IDs. You could make one that filters all audit failures, rdp sessions and much more. It really isn't that hard you just have to find the event id. If you would like I could connect to one of our servers and see a few event IDs that we filtered. You can see when a remote connection is being made what the source ip/port is. You could then go into your router and blacklist that ip. It is strange that the other ip you saw connected was 10.x.x.x. This range of class A IPs is reserved to be used as private ip's. try to see what public ip they are using. You could then blacklist that ip. I also agree with what Kyle said. You should use a vpn to connect to your home network and then from there connect to the required services. The openvpn config in your router should be fine as I don't think you will be accessing any sensitive documents remotely.

 

Feel free to pm with any questions or just reply to my post.

 

Edit: regarding your question about where to buy a pre-built pfsense box. You can get them off their website. I think they start around $300 buts its been a while since I looked into it so I could be wrong.

[Th3Architect]

Thanks for the info Gladiateduke, I would very much like some help with the auditing as I've no idea how to go about setting that up and I'm definitely interested in knowing how to make it more secure. I'm guessing a problem with blocking an external IP following your instructions though that if the attacker is using a VPN would that not make it pointless to some degree?

 

After playing around with the pfsense I built at work I've managed to install a package that allows me to block IP's from whole countries at a time, I'm assuming if I were to do this at home then use the pfsense for openVPN server as well it could be much more secure? 

 

I know using openVPN I could access network folders etc easily but how would I go about accessing the desktop of my server this way, this is one of the main reasons I like to use anywhere access as I can just hop onto my server anytime anywhere.

 

Thanks for all the insight guys.

[Gladiateduke]

Thanks for the info Gladiateduke, I would very much like some help with the auditing as I've no idea how to go about setting that up and I'm definitely interested in knowing how to make it more secure. I'm guessing a problem with blocking an external IP following your instructions though that if the attacker is using a VPN would that not make it pointless to some degree?

 

After playing around with the pfsense I built at work I've managed to install a package that allows me to block IP's from whole countries at a time, I'm assuming if I were to do this at home then use the pfsense for openVPN server as well it could be much more secure? 

 

I know using openVPN I could access network folders etc easily but how would I go about accessing the desktop of my server this way, this is one of the main reasons I like to use anywhere access as I can just hop onto my server anytime anywhere.

 

Thanks for all the insight guys.

Hey Architect,

I don't have any experience with PFsense so I'm not sure if this is possible but you could try restricting the IPs that have access to you server/an open port.  To access your server's desktop you would connect to your home network with openVPN, then use something like RDP (remote desktop protocol) to access your server. You could also use team viewer but I try to keep my servers as clean as possible. This is assuming you are running windows on the remote computer. There is also an RDP app for android devices. 

 

As for the auditing, you should be fine with event viewer auditing. I can't help you right now because I'm at work (on my lunch break ) but I will update you when I get home. Regarding your question about if the person is using a vpn, if you see any IPs that you are not familiar with trying to connect to your server then you can block it. The problem with blocking an entire county is you will also be blocking any legit traffic coming from there. For example, you are trying to access a website hosted in china, well, you wont be able to because the ip is blocked.

 

Hope this helped

[Th3Architect]

You sir are a genius, I shall look into learning openVPN and finding out how to set it up in pfSense. I'm going to look into the country blocking issue because I think the pfBlocker package for pfSense gets around that issue...somehow...I know I've blocked nearly every country on my work network but can still get to most sites a lot of which are in the US.

 

Thanks again for the info

[Gladiateduke]

You sir are a genius, I shall look into learning openVPN and finding out how to set it up in pfSense. I'm going to look into the country blocking issue because I think the pfBlocker package for pfSense gets around that issue...somehow...I know I've blocked nearly every country on my work network but can still get to most sites a lot of which are in the US.

 

Thanks again for the info

No problem. Feel free to pm me if you need any help with setting anything up or configuring the audits on the server.

Good luck!

[Th3Architect]

No problem. Feel free to pm me if you need any help with setting anything up or configuring the audits on the server.

Good luck!

Yh I will do thanks, I'm gna leave the post open for another week or so while checking my network in case I see anything flag up otherwise I'll mark as solved, thanks for all the help!

[Th3Architect]

Hi again guys, OK so I need a little help with my OpenVPN setup and didn't want to start a new thread sooo....

 

I have managed to get OpenVPN setup and can now access my server using remote desktop like gladiateduke suggested (Thanks for that mate) only problem is in order for this to work I have to put my OpenVPN setup into TAP interface type mode so I get issued an IP through DHCP and can access my server, unfortunately android does not support TAP OpenVPNs....so is there a way I can access my server with remote desktop in TUN mode and have my android devices work as well. I have tried connecting to my server in TUN mode using the IP address which doesn't work however if I search in file explorer using IP address I can see my shares.

 

Thanks

[leadeater]

If you can see your shares but not RDP on to the server then it sounds like a firewall setting on the server. Check that RDP is allowed on public as well as private connection types.