Re: How did they get behind my NAT?
- From: Unruh <unruh-spam@xxxxxxxxxxxxxx>
- Date: Fri, 12 Oct 2007 07:01:55 GMT
Maniaque <maniaque27@xxxxxxxxx> writes:
Thanks for the feedback!
- I am running an ADSL router, "Xavi" brand, "7028r" model, and it
seems to run a "GlobespanVirata" chipset. This was provided to me by
my previous ADSL provider, Telefonica Spain.
You mention the ADSL Router and NAT LAN, but you don't tell us how the
NAT is implemented - is the ADSL device doing the NAT or do you have a
NAT Router Appliance? You sort of indicate you do, but you don't tell us
what device/vendor it is.
Sorry I wasn't clear - the ADSL router is the NAT device. The ADSL
connection uses PPPoA, which means (as I understand it) that I cannot
operate the ADSL device in "bridged" mode with a different device
handling the routers/NAT functions. I guess I could simply leave the
ADSL device be, and set up a second NAT LAN behind another device - is
there any disadvantage to double-NATing?
No you cannot. Having double NAT confuses the hell out of many routers.
t set up a firewall properly.
You mention that you have ports forwarded for sharing - bad move.
Fair enough - why? Based on my limited understanding, this would only
be a bad move if the file sharing program (uTorrent) had some
vulnerability, right? Otherwise how could this be a problem?
And you know it does not? You also have port 80 open but do not tell us
which web server you run.
To be fair, I agree that the file-sharing is probably a major
contributing factor - first of all there is the fact that the attack
happened while I had the file-sharing program running, which is only
once a month or less, and secondly I have noticed that when I have it
running it drastically increases the amount of non-legitimate-looking
activity to my IP address, so I guess attackers monitor this activity
closely as "clueless but ambitious home user here, let's see what we
can do with him!" targets. There could well be an unknown
vulnerability in uTorrent of course, but I expect if that were the
case the attacker would have done more than access my vulnerable VNC
server.
I suspect that you also have UPnP enabled and a weak password on the
router.
No and No. And the router does not have outside admin access enabled.
And the first thing I did within seconds of the attack was check the
router configuration to make sure that they hadn't got in that way.
I suspect that you have so many holes in your NAT that you've let the
person in on VNC and just don't know it.
Fair enough, but I'd love to know how!
Try this:
1) Disable UPnP
done, always was
2) Change the NAT Router (assuming that you have one and it's not the
DSL router) to 192.168.6.1/24 and remove ALL port forwards and ALL
Triggers if used. Change the password to something proper.
I could do this, but that would really defeat the purpose of my asking
the question here, as it would also prevent me from providing public
access to specific services on the desktop. If that is totally
impossible (to expose only specific ports to the internet and have all
other ports be normally hidden) then I guess that's that. But it seems
counter-inuitive.
3) Run a quality Anti-Malware tool on your computer, run it in Safe Mode
also.
Any suggestions on quality anti-malware tools? I use AVG antivirus and
Spybot S&D, so far they haven't missed anything that I know of (but
then I wouldn't, would I? :))
err - how does safe mode help? you mean so I don't have any additional
programs running?
4) Do not share your computer with anything/anyone outside the LAN, stop
doing file sharing completely - buy what you need instead.
If what I "need" were easy to buy, I would happily do so :) - I use
uTorrent only to get stuff that I cannot find anywhere else, or for
linux distributions (I would recommend it in fact, it is an incredibly
fast way of getting any full multi-GB distribution you may want to try
out, AND it makes the overall distribution much much easier/cost-
effective for the maintainers)
5) Put your website on a proper web server, one protected by a real
firewall and on a locked down OS following the OS Vendors FULL
SUGGESTIONS ON HOW TO SECURE IT.
ok, so what you're saying is that there is no way to safely run a
simple website without paying out either professional hosting fees or
buying all the equipment that hosting vendors require. A safe, but
uninspiring, answer.
Don't port forward and make sure that UPnP is disabled.
UPnP is disabled, but I would love to understand what the problem /
risk with port forwarding is - can you provide any information, links,
resources to help me understand?
Stop providing services over a residential grade DSL service.
"Services"? I run my own personal 10-pageview/month website! It's
kind of sad if there is no way to do that using home tools... Maybe
that's where we're at now, I'm not sure.
Thanks again for the feedback, I'd appreciate any info you could
provide on the port forwarding question though!
Thanks,
Tao
.
- Follow-Ups:
- Re: How did they get behind my NAT?
- From: Leythos
- Re: How did they get behind my NAT?
- References:
- How did they get behind my NAT?
- From: Maniaque
- Re: How did they get behind my NAT?
- From: Leythos
- Re: How did they get behind my NAT?
- From: Maniaque
- How did they get behind my NAT?
- Prev by Date: Re: How did they get behind my NAT?
- Next by Date: Re: How did they get behind my NAT?
- Previous by thread: Re: How did they get behind my NAT?
- Next by thread: Re: How did they get behind my NAT?
- Index(es):
Relevant Pages
|
|
