Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3 4 ... 8

Author Topic: Over 31,000 access attempts via RDP - how to setup Zxyel to allow only my IP add  (Read 21930 times)

ejs

  • Kitizen
  • ****
  • Posts: 2078

People do realise that the traffic you want to allow would match both the drop rule, and the allow rule. Therefore the usual order would be to have the allow rules first, and the drop everything (else) catch all last. If the drop all rule was first, the traffic you wanted to allow would be dropped by the drop all rule and not reach the subsequent allow rule. Most routers tend to be based on Linux with its iptables, and that's how it is usually done.
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi ejs

I have seen this before, so unless router firewall defaults to block all and you just create open rule, the firewall is open and allows port forward to be open in firewall

Some are and some are not

Many thanks

John
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

You can also reconfigure the RDP port to something else, I know its security via obscurity but more then likely its only bots and its enough to stop bots.

Your initial approach is the best tho, whitelisting only authorised ip's.

Looking at my zyxel the UI is horrific but I think this is what you need to do.

Goto security.
Then firewall
Then access control
Add new ACL rule
Filter name - Pick a name
Keep source device set to specific ip address
Add your ip in the box below it as source ip
Protocol TCP
destination port 3389
Policy accept
Direction WAN to LAN

Do some testing from another ip to see if its blocked, if it isnt do another rule for deny to the port.

The problem you probably have since zyxel I feel isnt suitable for commercial use, its a very basic router, I feel the UI is one of the worst I have seen on a router, is I expect the NAT rule forwarding the traffic has likely already added an allow rule with source ip set to *.  So your custom rule probably wont overide it I expect.

You may well have to do the lockout on the windows firewall which I know you was trying to avoid. 

Or get a better device, since you done pfsense at home is it possible to set one up for your work as well? On pfsense you can adjust the auto created rules as you see fit and of course set other rules to override them on the firewall no problem.
« Last Edit: February 17, 2019, 10:16:49 AM by Chrysalis »
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi

Sorry I had a little read of the manual for that router

I believe the router firewall should default to block all unless rules are applied. However, when port forward is used, it opens all on that port

So if that’s true, you should

Open port
Disable port forward rule
Enable/create firewall rules to RDP

This should then stop the attacks I think

Many thanks

John
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

Problem is he would then have no routing for the NAT.

The zyxel doesnt allow you to edit firewall rules specific to NAT, so the only way he can remove that allow * rule is to disable the NAT forwarding on the port.  The device simply looks like it is too limited.

--edit--

Iptables binary works in the terminal, so its probably fixable via CLI, but expect to lose the configuration on every reboot, and possibly also whenever you make a change in the UI for NAT/firewall.
« Last Edit: February 17, 2019, 10:17:50 AM by Chrysalis »
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi chrysalis

Many thanks

You may be correct as I do not know the router

I think it is the port forward which reads as though it just opens in the firewall to all

I don’t suppose in port forward, there are any options to include source ip is there.

Many thanks

John
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

I apologise I am not sure if I am correct on the limitation, I can see where the rules section is but of course since I am in bridge mode I have no NAT configured, so maybe ronski can confirm if NAT rules are visible in the UI, if yes then he may be able to edit them.

They should be visible in the section I mentioned.

Not keen on adding a NAT rule to test as it may break my configuration.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

Yes there are NAT rules visible, I have one setup from before which opens port 3390 and forwards to port 3389 on my works PC. I was wondering whether I should delete this rule. I'm at home at the moment so I'll take another look tomorrow.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

I mean the firewall allow rules associated with NAT.

The rules that allow traffic are separate to rules that forward traffic.  I am talking about the former.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

@Chrysalis

As far as I'm aware as with most basic routers creating a port forward automatically opens the port in the firewall, on the Zyxel there is nowhere as far as I can tell via the GUI to view firewall rules, apart from any setup in access control - I've tried setting up a ACL rule in access control, but it doesn't seem to work.

I found this https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=014045&lang=EN which refers to a different router, but implies the above.

I'm going to remove what I've added, along with the port forward and add a new ACL rule using just port 3389 and see how that goes, if that fails I'll email Zyxel support.

Edit.

Just found this which implies there is bugs in Zyxel's firmware, hence it does not work https://superuser.com/questions/1167598/zyxel-vmg1312-acl-for-nat-port-forwarding
« Last Edit: February 18, 2019, 04:34:55 PM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP

yeah in that case the only fix is iptables rules hacking in the cli
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 4093

If you can get the correct command to set this on the CLI it would lose the setting every reboot.

I'm sure Johnson would be happy enough to throw together a quick firmware that sends the command automatically on boot.
Logged
Talktalk FTTP 550/75 - Speedtest - BQM

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

I'm going to (or rather the company is going) to purchase a Draytek router, I need to keep things simple both for my own ease of administration and others. I just need to work out which one will serve our needs, it needs to support dial in VPN (https://www.draytek.com/support/knowledge-base/5390) and support a proper firewall so I could implement what I have been trying to do should I need to.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi ronski

If you want to test dial in vpn, I can set you a test account for dial in on one of our drayteks.

The 2830 or 2860 are relative cheap on eBay and will do the job

You could then leave RDP closed and just use dial in vpn. This would then put you on the same network as work, meaning you could access everything on the network from where you are just as you would at work, unless access has been restricted

Many thanks

John
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

Hi John, that won't be necessary but thanks for the offer.

Looking at the current crop of Draytek routers, it looks like we have two choices:

Draytek Vigor 2762ac at £121+VAT
DrayTek Vigor 2862ac at £213+VAT


Is there any major benefits for going with the 2862 over the 2762?

Presume with either I can use the Zyxel or HG612 as a modem in bridge mode for stats collection?

I could if wanted save a little cash by going with the n version as we don't really need 5Ghz, it only ends up being phones and tablets on wireless, but it's only a small saving so probably best to stick with the AC versions.

On a side note I see that the 2862 supports Wireless Management, would that mean that a guest network would also be able to be run from a compatible Vigor AP? Currently we can only have the guest wireless network at one end of the building.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D
Pages: 1 [2] 3 4 ... 8