Recently we got a new server at the office purely for testing purposes. It is set up so that we can access it from any computer.
However today our ip got blocked from one of our other sites saying that our ip has been suspected of having a virus that sends spam emails. we learned this from the cbl http://cbl.abuseat.org/
So of course we turned the server off to stop this. The problem is the server must be on to continue developing our application and to access the database that is installed on it. Our normal admin is on vacation and is unreachable, and the rest of us are idiots(me included) in this area.
We believe that the best solution is to remove it from connecting to the internet but still access it on the lan. If that is a valid solution how would this be done or is there a better way? say blocking specified ports or whatever.
I assume that this server is behind a router? You should be able to block WAN connections to the server on the router and still leave it open to accepting LAN connection. Or you could restrict the IPs that can connect to the server to the development machines on the network.
Related
I have an Ubuntu VM installed on a client's VMware system. Recently, the client's IT informed us that his firewall has been detecting consistent potential port scans to our VM's internal IP address (coming from 87.238.57.227). He asked if this was part of a known package update process on our VM.
He sent us a firewall output where we can see several instances of the port scan, but there are also instances of our Ubuntu VM trying to communicate back to the external server on port 37258 (this is dropped by the firewall).
Based on a google lookup, the hostname of the external IP address is "feris.postgresql.org", with the ASN pointing to a European company called Redpill-Linpro. As far as I can tell, they offer IT consulting services, specializing in open source software (like PostgreSQL, which is installed on our VM). I have never heard of them before though and have no idea why our VM would be communicating with them or vice-versa. I'm also not sure if I'm interpreting the IP lookup information correctly: https://ipinfo.io/87.238.57.227
I'm looking for a way to confirm or disprove that this is just our VM pinging for a standard postgres update. If that's the case I'd like to restrict this behaviour. We would prefer to do these types of updates manually and limit the communication outside of the VM to what is strictly necessary for the functionality of our application.
Update
I sent an email to Redpill's abuse account. They responded quickly saying that the server should not be port scanning anyone and if it appears that way, something is wrong.
The server is part of a cluster of machines that serves apt.postgresql.org among other postgres download sites. I don't think we have anything like ansible or puppet installed that would automatically check for updates but I will look into that to make sure. I'm wondering if Ubuntu reaching out to update the MOTD with the number of available packages would explain why our VM is trying to reach out to the external postgres server?
The abuse rep said in any case there should only be outgoing connections from the VM, not incoming. He asked for some additional info so I will keep communicating with him and try to update this post accordingly
My communication with the client's IT dropped off so I did not get a definitive answer on this, but I'll provide some new details:
I reached out to the abuse email for Redpill-Linpro. He got back to me and confirmed the server corresponding to the detected IP address is part of a cluster that hosts postgres download sites, including apt.postgresql.org. He was surprised to learn we had detected a port scan from their server and seems eager to figure out why that is happening.
He asked if the client IT could pass along some necessary info for them to set up tracking on that server. But the client IT never got back to me. I think he was satisfied that it wasn't malicious and stopped pursuing it.
Here's one of the messages the abuse rep sent me that may be relevant:
That does look a lot like the tcp to the apt download server yes. It's
strange that your firewall reports that many incoming connections, but
they could be fallout from some connection tracking that's not
operating as intended. The timing appears to be matching up more or
less perfectly. And there should definitely not be any ping-back
connections from it.
Since you appear to be using the http version of the server (and not https) bringing the data in cleartext, they should be able to just
dump the TCP connection contents and verify exactly what it does. But
I bet they are going to see a number of http requests initiated by the
apt client that is checking for updates.
So this is a classic question that I’ve seen many times before...
I’m trying to connect to my home network when not at home using a raspberry pi.
I’m well aware that the way to go with this is to use a vpn server such as OpenVPN.
However, in order to connect to the vpn I would need to forward a port on my router... which I can’t do.
I’ve found remote.it which allows remote connection to a computer (pi) without port forwarding.
What I would like to know is how would I set about using the 2 together, I.e. connecting to remote.it which in turn connects me to my vpn server?
I'm sorry to be finding this question just now, but in case it's still useful to you or to anyone else, here's what you need to do:
Install remote.it
Set-up a remote.it connection to use the protocol (TCP/UDP) and port required by the VPN application
Make a remote.it connection/adding the service to your network (remoteit - Desktop application UI terminology)
Use this connection info (URL/port or localhost:port) with the VPN client
Send an e-mail to support#remote.it if you need help
I would recommend ZeroTier(https://www.zerotier.com/). It haves its own linux client , and you can connect to as many networks as you would like.
You can also configure IP address from the website.
There is also an Android an IOS app that is really simple to connect.
How can i host a website through my computer using server softwares?
I tried to host a website through my own computer using apache tomcat server but it didnt work ( please briefly explain every point )
The main issue that you need to deal with is getting the clients to your computer.
Yes, it is possible and yes I have done it, albeit a while ago.
You need to see if you can browse to your computers website from another device on your network, this will ensure that apache is working. Try another computer/laptop/tablet/whatever to see if this site reachable by other computers using the IP Address and possibly port number. If you cannot get to the site, there are settings in apache to deny certain ip's, google it to get the exact steps for your version. If it works, move on to step 2.
You will need a static IP Address to ensure that all further steps stay working, google this if you are not sure how to do it
You need to have the external IP address of your router(whatsmyip.org) or use Dynamic DNS to route traffic from an address to your ip and there are services that allow this. I can recommend no-ip.com - This is all assuming that you have access to the router.
You would be required to set up port forwarding on your router. This will direct the internet traffic to your computer. You will need to get the exact instructions for your specific model of router.
Please be aware that you need to have proper firewalls and systems in place to prevent attacks. I am sure that you are just testing at this point though...
All the best!
I want to develop an iPhone app with a simple IM feature. I am thinking about setting up an HTTP server on an iPhone. If the iPhone is using wifi and is behind a firewall, how can I make sure that other iPhone clients can connect to it?
It's not the firewall that will disturb the connection as much it is the NAT.
When you are connected through wireless router to connect the internet you are surfing via NAT. it means you dont really have an extenral IP but once you initiate connection the router will map your intenral IP to one of his externatl ports and for certain time window he will pass connections to you if he will get it to the right port.
That being said, there is no actual way of setting a server behind a NAT unless you can configure port forwarding in the router and internal static IP.
Hope i was clear enough, good luck
I do not really think that you need to get an HTPP server up and running on iPhone to make an application that can send and receive messages (IM). The idea of making one iPhone user to directly connect to one another does not seem right to me since the users will need to know IP addresses of one another to do that.
Interconnectivity between different users of the chat can be solved by making your application communicate via a dedicated TCP port. It is generally advisable to choose ports with a number higher than 1024 since those below are generally found on the list of so-called well-known ports and are used for Web (like port 80), FTP (port 21), SSH (22), DNS (53), etc., it will be the responsibility of the user to make sure the port used by your application is open on the firewall. In order to solve this problem you can actually use port 80 for communication if you find that the port you have selected is blocked. You can do this because you know that this port will not be blocked in most cases. Indeed Yahoo Messenger is reported to use this technique when the firewall blocks the port it uses for communication.
The port should be used by your application to connect to the Web-server that will actually store user credentials, perform authentication, message transmission, etc., and the server should reside on capable hardware to be able to support large number of simultaneous connections. I can suggest using either a VPS (like the one provided by Linode) or a cloud (like Amazon EC2, Google Application Engine, Rackspace).
After Enable telnet service in Windows XP PRO SP2, how affect the security level of system?
Will it be easier to infected virus or worm attack?
First and foremost if you need remote access you should always consider SSH over telnet in almost every situation. If you can't because of automated robots connecting over telnet only then you have to live with that, but other than that you should always use SSH.
By enabling telnet service you've provided yet another vector of attack for outside attackers. Telnet has to known weakness because of the way it's architected, but there could be implementation defects specific to the windows service that could allow attackers to gain access. You'll need to do some research to figure out what vulns exist on the telnet service for windows.
SP2 is pretty old so you'll want to apply all security patches so you're up to the latest. Not doing so could allow an attacker thru another vector whether you're running telnet service or not. In the big picture this question only makes sense to ask after you've upgraded your machine to the latest security patches. Does turning on telnet service expose you to any known vulnerabilities for which a patch doesn't exist? That would have to be researched.
Now there are some concerns you should have about using telnet. One telnet doesn't encrypt passwords so if someone were to get behind your firewall they could potentially sniff the traffic going to that machine and get the root password because telnet sends passwords in the clear. That could mean any computer on your network could see admin passwords. Telnet should not be accessible to the internet because of this. You should also be very careful about wifi access as well. Make sure you are using WPA or some sort of protection from random people connecting into your network. Otherwise anyone could see your passwords in the clear just by driving by. So I'll assume telnet is turned on and is behind a firewall or VPN, not accessible to a public wifi. If that's the case the potential threats are much lower since telnet can't be reached but by someone with access to your internal network. At this point you've lowered your exposure to just the people who have access to that network. That means how well does your VPN/firewall protect you? If your telnet port is open on the firewall then you're not protected. But, if it's safely behind one or both of those you could get away with running it. But bear in mind that your security is hinging on the security of your firewall/VPN in that case.