Protecting my domain

[BrownZeus]

Hi friends,

 

So by the title, I don't mean making sure my domain name doesn't get hijacked.

 

I would like to protect my home network entirely for remote access purposes.

I would like to have this set up as a alternative to having a vpn in case I wanna access something on my home computer, on another computer that doesn't have the particular vpn client running on my pc.

 

One of the risks of accosiating the pc with a domain name is that online sniffers will be able to find it eventually. And probably brute force or finesse into my computer.

 

So How would I go about securing that connection to make hacking in very difficult?

[SysAdminInTraining]

9 minutes ago, BrownZeus said:

Hi friends,

 

So by the title, I don't mean making sure my domain name doesn't get hijacked.

 

I would like to protect my home network entirely for remote access purposes.

I would like to have this set up as a alternative to having a vpn in case I wanna access something on my home computer, on another computer that doesn't have the particular vpn client running on my pc.

 

One of the risks of accosiating the pc with a domain name is that online sniffers will be able to find it eventually. And probably brute force or finesse into my computer.

 

So How would I go about securing that connection to make hacking in very difficult?

Use non standard ports. There isn't really enough time to find a domain not doing much, and sniff every single port "normally". (And this is what I read from OVH, whose network is attacked constantly, confirmed by the fact that I bought a VPS and after 30 minutes had over 3000 failed login attempts) If you switch off the standard ports you should be relatively safe. (Attacker finds domain, sniffs for the usual 22, 80, etc., finds them to be dead, moves on. The only draw back is let's say you piss someone off and they specifically attack you. They might find a hole eventually dependent on their skill level.

 

Could also route it through Cloudflare instead of your own DNS Server. At least that protects you from the normal idiots with online booters who enter a name, attack time, and click a button.

 

The best way to secure your stuff is to set your firewall to only accept traffic from specific IPs. Which would be useless to you if you want to remote to it from anywhere since your IP would most likely be different in different locations/cell towers.

 

Edit: There are professional networking security people on this forum who will most likely know very real doable ways to secure you like crazy. My post above could be wrong, but from what I've seen you really have nothing to worry about. If my servers are attacked constantly, you would run little risk of ever having a real attack launched against you.

Edited September 21, 2016 by SysAdminInTraining

[Lurick]

Have you looked into getting a dedicated box for pfsense and setting that up? It's pretty good and should help secure things so long as you take the time to properly set it up

[Mikensan]

The method in which you connect to your home network will determine how you protect it. What options are you considering?

 

I've used team viewer and Google remote desktop neither of which require you to open a listening port. Created a limited virtual machine and threw both on. Granted teamviewer recently had some *ahem* security issues, they were mostly quick to fix it. I've switched to just using Google for now.

[BrownZeus]

Basically I wanna get a domain name (a url) give my desktop an address on that domain so for example desktop.brownzeus.com, so when I use remote desktop on any windows machine I can just enter that url and boom I have my desktop. But again, by doing that I open the risk of the open internet being able to enter that into a any browser, or remote desktop itself and being able to fuck with my computer.

[SysAdminInTraining]

2 hours ago, BrownZeus said:

Basically I wanna get a domain name (a url) give my desktop an address on that domain so for example desktop.brownzeus.com, so when I use remote desktop on any windows machine I can just enter that url and boom I have my desktop. But again, by doing that I open the risk of the open internet being able to enter that into a any browser, or remote desktop itself and being able to fuck with my computer.

A domain name is just a fancy dress for an IP, which is already available to the open world to screw with. Just because you put a fancy dress on it doesn't make it easier to attack.

[Blake]

On 9/21/2016 at 2:52 PM, BrownZeus said:

Hi friends,

 

So by the title, I don't mean making sure my domain name doesn't get hijacked.

 

I would like to protect my home network entirely for remote access purposes.

I would like to have this set up as a alternative to having a vpn in case I wanna access something on my home computer, on another computer that doesn't have the particular vpn client running on my pc.

 

One of the risks of accosiating the pc with a domain name is that online sniffers will be able to find it eventually. And probably brute force or finesse into my computer.

 

So How would I go about securing that connection to make hacking in very difficult?

just configure your gateway to drop all packets. 

 

Then just open up what you need. Look into stateful firewalls.

 

 

[Blake]

On 9/21/2016 at 3:02 PM, SysAdminInTraining said:

Use non standard ports. There isn't really enough time to find a domain not doing much, and sniff every single port "normally". (And this is what I read from OVH, whose network is attacked constantly, confirmed by the fact that I bought a VPS and after 30 minutes had over 3000 failed login attempts) If you switch off the standard ports you should be relatively safe. (Attacker finds domain, sniffs for the usual 22, 80, etc., finds them to be dead, moves on. The only draw back is let's say you piss someone off and they specifically attack you. They might find a hole eventually dependent on their skill level.

This is actually a placebo. Assuming a bot is attacking you, it is trivial to scan all ports. seriously if your making a scanner, you already know how to foreach your way through each port. Most attacks, like most kidnapping, occurs from within the home, from a trusted device/person. best thing you can do is treat security like an onion, have lost of layers.

[Blake]

On 9/21/2016 at 9:40 PM, Lurick said:

Have you looked into getting a dedicated box for pfsense and setting that up? It's pretty good and should help secure things so long as you take the time to properly set it up

no, by default it is open to the elements, and it requires the user to make it secure. Better systems block/lock everything down by default. So you need to configure it to work.

 

I'd say grab a copy of sophos UTM home, and route all traffic from your gateway through that.

[Mikensan]

6 hours ago, Blake said:

no, by default it is open to the elements, and it requires the user to make it secure. Better systems block/lock everything down by default. So you need to configure it to work.

 

I'd say grab a copy of sophos UTM home, and route all traffic from your gateway through that.

pfSense's default rule is block all.. I'm not sure what "open to the elements" means but doesn't appear correct to say regarding pfSense. There's nothing wrong with Sophos and a lot swear by it, but it's no reason to assume pfSense is an inferior product.

 

I still say avoid using RDP directly over the internet regardless of firewall/IDS/IPS. Either connect through a VPN (IPSEC etc..) / SSH, or use a third party such as Google Remote Desktop and avoid opening a port altogether.