Announcement

Collapse
No announcement yet.

I was Hacked !!!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • I was Hacked !!!

    OK, Never thought it would happen to li'l ol' unimportant me but they got me.
    Many files were encrypted & I was given an address to get them back.

    I was backed up & after running malewarebytes (free, scan only) I quarantined the apparent problems, deleted the encrypted files & ran a repair install of HS3.
    I'm up & running again.
    I got a new drive coming & this weekend will fresh reinstall everything.

    Now, just curious, how did they get in?
    I'm running HS3 on a dedicated laptop,(windows 7 Pro), I rarely touch this machine, no emails received (send only) or browsing.
    The only exposure I can see is the Web Server & Blue Iris which are both port forwarded through the router.
    Apparently windows defender is not sufficient.

    If I confess to being ignorant, can you give me some Ideas where to tighten up?

    Be gentle, I'm not in your league.
    Thanks
    Paul


  • #2
    The only exposure I can see is the Web Server & Blue Iris which are both port forwarded through the router.
    Apparently windows defender is not sufficient.
    There's your problems. Don't port forward.

    1. Setup and use a VPN. If you can't then pay someone to help you or pay for a VPN service. OpenVPN offers one and it's relatively inexpensive and works with most consumer routers.
    2. Buy a better router that has native VPN to make the setup easier. a USG is only $129 bucks on Amazon or you can get a lower end consumer router from Best Buy that still has builtin VPN capabilities
    3. Use MyHS for HS3 if you don't want to go with a VPN
    4. I don't use BI remotely but don't they have an app for remote viewing that does not require port forwarding? It creates a tunnel through their servers?

    Comment


    • #3
      I got a USG a few months ago and love it. it is a bit scary that is blocks about 1 or 2 attacks or worms a day (most headed for HS computer so prob fishing attempts) (I'm sure most of them would have been blocked anyway but it only takes one) I also block all address not from USA and that helps a ton to start with

      Comment


      • #4
        Good kick-in-the-pants reminder.

        Have now enabled and configured pfBlockerNG on my pfsense firewall.

        Comment


        • #5
          I agree with Fellhahn. Exposing your system to the internet has risks. One thing I noticed using myhs is that any links other than the basic links of Homeseer, do not render while outside my network. I have links defined with Jon's link setup as well, and when I click on them, they go nowhere. I brought this up to support months ago.
          I'd like to setup a VPN to my system as well since my router supports this. However, I run an e-mail server which uses https along with a signed certificate for both web access and SMTP/IMAP. When I browse to the https DNS name in the URL, it automatically routes to my e-mail application because of port 443. Saying all of this, I am seeking feedback from the network gods here, is there a solution here other than a somewhat crippled myhs service?

          Thanks,

          Robert
          HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

          Comment


          • #6
            I moved to VPN (through OpenVPN) on my Asus router almost a year ago for the same reason. I killed all portforwarding…. and VPN to use the Blue Iris client, as well as Imperihome. Works great so far.

            Will be looking to move to a more robust Ubiquit system soon so I can segment my LANs to add protection.

            usLEDsupply , interested in how you blocked all but US addresses? I do get warnings from my router constantly. I guess that's good... but it's also a bit disconcerting :-)

            Comment


            • #7
              Originally posted by langenet View Post
              I agree with Fellhahn. Exposing your system to the internet has risks. One thing I noticed using myhs is that any links other than the basic links of Homeseer, do not render while outside my network. I have links defined with Jon's link setup as well, and when I click on them, they go nowhere. I brought this up to support months ago.
              I'd like to setup a VPN to my system as well since my router supports this. However, I run an e-mail server which uses https along with a signed certificate for both web access and SMTP/IMAP. When I browse to the https DNS name in the URL, it automatically routes to my e-mail application because of port 443. Saying all of this, I am seeking feedback from the network gods here, is there a solution here other than a somewhat crippled myhs service?

              Thanks,

              Robert
              You have 3 servers wanting to use SSL.

              Web = port 443
              SMTP = 465
              IMAP = 993

              Those are the "Secure" Ports you should be using for those services. Why are you trying to run everything on port 443?

              Are you doing a Point to Point VPN setup where you have a VPN server local and then AGAIN opening a firewall port allowing clients to connect to that VPN server to then establish the VPN connection? Doing this without a proper firewall setup and segmented DMZ still leaves you vulnerable to attack at the VPN server that is open on the internet. If this system is full secured (hardware based) then it's less of a problem. Otherwise use an "Access Server" or Tunnel server that is on the internet and you connect to from your local network outbound. If the VPN connection is established FROM your local network to the external VPN router then you don't have to open any firewall ports to the internet. This method also works for those behind a double NAT like myself with using LTE modems for internet or those using Satellite service.

              Comment


              • #8
                Sorry for the confusion. Yes, you are correct I use 443 for the web. 465 for smtp and 993 for secure imap. I will look into an access server...

                Thanks
                HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

                Comment


                • #9
                  Originally posted by langenet View Post
                  Sorry for the confusion. Yes, you are correct I use 443 for the web. 465 for smtp and 993 for secure imap. I will look into an access server...

                  Thanks
                  The OpenVPN Access Server is a good solution and is cheap if you run it from an AWS EC2, Vultr, Digital Ocean instance. Doing that will cost $5 or less a month and the "Public" facing IP and vulnerability sector is no longer within your local network.

                  Comment


                  • #10
                    Thanks this is a great suggestion. I've been considering pfsense since Pete started the thread on group buying one some time ago. One new model that interest me is the pfsense SG-1100 firewall. However, I'll have to manage it... (perhaps not so bad), so thanks I will be looking into OpenVPN.
                    HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

                    Comment


                    • #11
                      Originally posted by langenet View Post
                      Thanks this is a great suggestion. I've been considering pfsense since Pete started the thread on group buying one some time ago. One new model that interest me is the pfsense SG-1100 firewall. However, I'll have to manage it... (perhaps not so bad), so thanks I will be looking into OpenVPN.
                      It's not a one or other setup. You will want to run both. Whether you choose a pfSense, USG, Asus, Netgear, Cisco, TP-Link it doesn't matter too much as long as it supports VPN connections. You will run the local Firewall to protect your Local network from internet attacks but have ports closed. No port forwarding. From your local FW you will then establish a VPN tunnel to the Access Server (OpenVPN is only one option out there). This tunnel will create a secure pathway for inbound traffic that you allow to your local network through the Access point. The Access Server will be the entry point for your clients (mobile apps etc). You can setup your public DNS name and access points from there.

                      The vulnerability sector is moved to the Access Server so you will have to ensure that is secured and setup properly. The benefit is that it is isolated already (virtual DMZ) from your home network and only what you specifically allow can connect to it and then traverse backwards to your network. This is essentially what MyHS does in a way as the local finder on your HS3 install creates a tunnel connection to the MyHS access server which you then use to perform remote access to your HS3 install. However MyHS is limited to only HS3 whereas doing it yourself you have the ability to grant full access to your entire LAN or you can restrict it to very specific IP:PORT combinations all being secured connections and only have one entry point.

                      Comment


                      • #12
                        Originally posted by langenet View Post
                        I agree with Fellhahn. Exposing your system to the internet has risks. One thing I noticed using myhs is that any links other than the basic links of Homeseer, do not render while outside my network. I have links defined with Jon's link setup as well, and when I click on them, they go nowhere. I brought this up to support months ago.
                        I'd like to setup a VPN to my system as well since my router supports this. However, I run an e-mail server which uses https along with a signed certificate for both web access and SMTP/IMAP. When I browse to the https DNS name in the URL, it automatically routes to my e-mail application because of port 443. Saying all of this, I am seeking feedback from the network gods here, is there a solution here other than a somewhat crippled myhs service?

                        Thanks,

                        Robert
                        I'm not certain but I think you're taking about having a VPN server and a web server both listening on port 443, that routes the connection based on type or SNI?

                        If that is what you're after, it is possible using a double layered front end setup on pfsense/HAProxy. I've done it, but the experience was poor frankly. I ditched it and just went back to he default port for OpenVPN.

                        For people wondering why you would do this, if you're frequently connected to WiFi networks with restrictive outbound firewall policies, you may find you can't get a VPN connection outbound on the usual ports (UDP 1195). Ever travelled to the UAE? Hoo boy that government does NOT view the internet as open and free ...
                        Running the VPN over TCP 443 instead might get you connected, assuming no MITM deep packet inspection is occurring.

                        Buuut VPNs don't use server name indication like HTTPS handshakes do, so properly identifying the inbound VPN connection in order to route it gets tricky. It's a PITA to be honest and I came to the conclusion it wasn't worth the degraded performance just to circumvent a potential niche setup.

                        Comment


                        • #13
                          Originally posted by langenet View Post
                          Thanks this is a great suggestion. I've been considering pfsense since Pete started the thread on group buying one some time ago. One new model that interest me is the pfsense SG-1100 firewall. However, I'll have to manage it... (perhaps not so bad), so thanks I will be looking into OpenVPN.
                          Consider running pfsense in a virtual environment first to see how you like managing it, the software component is free for non commercial use. Any
                          ​​​​​​old box with at least two ethernet ethernet ports should do.
                          This way you can try it and if it's not for you, no money lost.

                          Comment


                          • #14
                            Originally posted by Tomgru View Post

                            usLEDsupply , interested in how you blocked all but US addresses? I do get warnings from my router constantly. I guess that's good... but it's also a bit disconcerting :-)
                            Does your USG (Ubiquiti Security Gateway??) run pfsense? I bought a really tiny Ubiquiti home router/firewall a few year ago and it was running pfsense, it's actually what first brought me to the product.

                            If so, can you install additional packages through the package manager? The package you need is pgBlockerNG.
                            It downloads lists of countries allocated CIDR IPv4 segments, then allows you to configure block rules based on source geographical region. These rules are placed above your normal firewall rules by default, so all that traffic from Asia will be blocked before it hits your default deny rule, and before it discovers the listening 443 port or any other open port.

                            Comment


                            • #15
                              Here is one of the configuration screens for PFBlockerNG.

                              Click image for larger version

Name:	PFSense.jpg
Views:	630
Size:	128.1 KB
ID:	1308164
                              - Pete

                              Auto mator
                              Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU - Mono 6.4X
                              Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.4X

                              X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

                              Comment

                              Working...
                              X