Announcement

Collapse
No announcement yet.

TCP/UDP port security and locking down my network

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    TCP/UDP port security and locking down my network

    I'm looking for advice on how to best secure my network. I've been reading up on how ports work, syn ack packets etc and ways people can scan your open ports. I've downloaded nmap but I find it hard even with guides to determine much from the output so I also used netstat on my windows pc. I found this a little easier to pick apart and found a couple of established connections to outside ip addresses. I'm looking into these, one I know I opened for a support session involving acronis, was wondering if I should now close that port, is this now open anytime they wish or would I have to grant access again? Any listening ports were to my own addresses on hardware (0.0.0.0.0 and 127.0.0.1ort number)

    I understand there's a standardised port for http, emails in and out, ssh and so on which can be changed providing the client I use allows me to specify which port to use. I have a few questions that I'm hoping someone can answer or offer advice.

    1. Is it wise to alter these standard ports? Does it offer much in the way of security (by obscurity) or are there better ways (decent firewall)

    2. If this is a good move, what range would be the best to use (registered or dynamic/private)

    3. Is messing with well known registered ports going to throw a few spanners in the works I.e. WhatsApp, Gmail etc.

    Currently I use a few android phones and tablets, a couple of PCs and a raspberry pi for homeseer. They're all used for Internet surfing, email, WhatsApp etc (pi is homeautomation only). Im using ssh to setup my pi but once that's done I'll disable ssh so that cannot be accessed apart from a physical port. I haven't enabled WiFi on the pi as I don't really have a need for it currently. Say I wanted to access my homeseer gui from another network, I'd have to setup a static ip and setup port forwarding. Would this be better left alone (if I can manage without it) or are there good secure ways of doing so? (Vpn)

    I'd like to leave the pi automation completely isolated from the Internet for security but im using devices that connect to the Internet that can introduce virus, malware etc into my lan network so just looking for some good preventative measures without disrupting the normal operation of things.

    Any knowledge and wisdom is appreciated

    #2
    I'm going to focus on the big threat... the internet connecting to your home network via your ISP connection.

    First and foremost, block all internet traffic from connecting to your home network. Either via a firewall or port forward all internet traffic to an unused private IP on your network. How you do this depends on your router and if you have a built in firewall. This stops the internet from connecting to anything on your home network. This does not prevent your home network (PCs, tablet, etc) from connecting to the internet.

    Unless you host your own web server, email server, etc on your home network, then you do not need to open those ports to the internet.

    Do you have the need to connect to your home network from the internet? If not, then you've eliminated 90% of your risk.

    If you do have the need to access your home network from the internet, then allow only those ports to access your network. Changing ports to non-standard will reduce not eliminate the number of attacks.

    It's still best to allow the fewest number of ports available from the internet. Hosting your own VPN server or using SSH tunnels allows you to reduce the number of exposed ports while allowing you access.

    It's best not to allowing any internet access.
    Len


    HomeSeer Version: HS3 Pro Edition 3.0.0.435
    Linux version: Linux homeseer Ubuntu 16.04 x86_64
    Number of Devices: 633
    Number of Events: 773

    Enabled Plug-Ins
    2.0.54.0: BLBackup
    2.0.40.0: BLLAN
    3.0.0.48: EasyTrigger
    30.0.0.36: RFXCOM
    3.0.6.2: SDJ-Health
    3.0.0.87: weatherXML
    3.0.1.190: Z-Wave

    Comment


      #3
      Test your internet vulnerability using the multitude of tests in internetlandia.

      Here over the only VPN to access my home network. I do not open any ports for anything on the firewall.

      Switched over to PFSense a few years back and it works just fine.

      DNS spoofing, also referred to as DNS cache poisoning, is a form of computer hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect IP address. This results in traffic being diverted to the attacker's computer (or any other computer).

      Personally all of the computers get their DNS from the PFSense firewall which uses an Unbound DNS resolver these days.

      NTP comes from the same firewall connected to a GPS for time sync. (I do not utilize internet NTP today - years now).

      Basically here keep my tablets / cell phones off unless I am using them. I use wireless sometimes for my laptops but mostly have network ports near by. I do not use or depend on wireless for automation and mostly tinker with it relating to automation (Amazon Echo, Samsung Smarthings, et al). I have 16 tabletop touchscreens which run embedded wintel. These are POE Gb wired. I have a couple of testing wireless tabletops but prefer the hard wire.

      I wish that the RPi folks had upped the processor and used 2Gb of memory for the RP3 rather than proving built in WLAN and Bluetooth. I purchased the Pine64 with 2Gb of memory. It is running Ubuntu 16.04 / 64 bit and runs circles around the RPi3. You can add wireless bluetooth or 802.XX wireless via modules on it.
      - Pete

      Auto mator
      Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
      Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
      HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

      HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
      HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

      X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

      Comment


        #4
        I am in the networking business and have a enterprise grade firewall at my home. recently I have setup SSL inspection, and tracked all outbound connections all my devices access on the internet.

        Does HS publish required ports/protocols and destination IP/FQDN's needed? I searched this forum and the website but cannot find anything.

        I have used wireshark and my firewall for visibility.

        I found standard ports 80, 443, NTP, DynDNS (8245), MyHS (10300), UltraSeek-HTTP (8765), IMAP and SMTP (for email).

        I have blocked everything else. For the most part that woks.

        I then tried to lock it down even further by limiting destination IP's from "any" to just US based addresses (I live in the US). Again for the most part everything works, but I get hits on my deny policy to UK, Germany, Netherlands, etc. Most seem legit as the URLs look like they are plugin providers (who many may be overseas).

        I was just curious if HS tracks destinations sourced from HS and its plugin providers and/or a list of required ports/protocols?

        Comment


          #5
          Originally posted by charlesmbell View Post
          I was just curious if HS tracks destinations sourced from HS and its plugin providers and/or a list of required ports/protocols?
          This is probably a question you should direct to HST. (Try 'Contact Us' in the 'Company' drop down from the blue bar.) They do not monitor the Board on a routine basis and will likely miss your post.
          Mike____________________________________________________________ __________________
          HS3 Pro Edition 3.0.0.548, NUC i3

          HW: Stargate | NX8e | CAV6.6 | Squeezebox | PCS | WGL 800RF | RFXCOM | Vantage Pro | Green-Eye | Edgeport/8 | Way2Call | Ecobee3 | EtherRain | Ubiquiti

          Comment


            #6
            You might also want to run Shields Up from Gibson Research.
            https://www.grc.com/x/ne.dll?bh0bkyd2
            It does a free, benign probe of your open ports and reports any problems.
            Fred

            HomeSeer Pro 3.0.0.548, HS3Touch, Zwave 3.0.1.252, Envisalink DSC 3.0.0.40, WeatherXML, Z-stick, HS phone, Way2Call

            Comment


              #7
              Originally posted by charlesmbell View Post
              I am in the networking business and have a enterprise grade firewall at my home. recently I have setup SSL inspection, and tracked all outbound connections all my devices access on the internet.

              Does HS publish required ports/protocols and destination IP/FQDN's needed? I searched this forum and the website but cannot find anything.

              I have used wireshark and my firewall for visibility.

              I found standard ports 80, 443, NTP, DynDNS (8245), MyHS (10300), UltraSeek-HTTP (8765), IMAP and SMTP (for email).

              I have blocked everything else. For the most part that woks.

              I then tried to lock it down even further by limiting destination IP's from "any" to just US based addresses (I live in the US). Again for the most part everything works, but I get hits on my deny policy to UK, Germany, Netherlands, etc. Most seem legit as the URLs look like they are plugin providers (who many may be overseas).

              I was just curious if HS tracks destinations sourced from HS and its plugin providers and/or a list of required ports/protocols?
              Recently HS changed the method to download plugins and the data for developers addresses is now no longer publicly available (if you have a backup of HS you probably still have the updater file in there which was just a text file you could read the URL's from) although HS would clearly have this.

              I'm likely to be one of those blocked persons, I have four plugins in the updater and it comes from a .co.uk domain. The list of updater URL's changes as plugins come and go so I don't think they will be publishing a list anytime soon, however that should only be downloaded when you go into the plugins manage page and it tries to get third party data.

              Comment


                #8
                Here utilize PFSense / PFBlocker and whitelisted some 3 downloading sites from the UK and EU and block port 8245.

                Block everything else ( 80, 443, NTP, DynDNS (8245), MyHS (10300)) and use IPSEC VPN to get to my network from where ever to what ever.

                NTP comes from PFSense which is connected to a GPS / PPS. MyHomeseer dot com DynDNS service runs whether enabled or not on the HS GUI.

                Never have configured HS1, HS2 or HS3 to receive email over the years...just sending email from HS (from late 1990's).

                PFBlocker is using a GeoIP database by MaxMind Inc. (GeoLite2 Free version).

                Easy and fast to white list.
                Last edited by Pete; April 16, 2017, 06:40 PM.
                - Pete

                Auto mator
                Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                Comment


                  #9
                  This command lists the sites hit by the updater:
                  curl -s https://updatercontrol.homeseer.com/...s3/updater.txt | awk -F/ '/^@/ { print $1 FS $2 FS $3 }' | sort -u

                  Note that each of these is hit whenever the 'Update Listing' button is pressed.

                  Comment


                    #10
                    Originally posted by zwolfpack View Post
                    This command lists the sites hit by the updater:
                    curl -s https://updatercontrol.homeseer.com/...s3/updater.txt | awk -F/ '/^@/ { print $1 FS $2 FS $3 }' | sort -u

                    Note that each of these is hit whenever the 'Update Listing' button is pressed.
                    Guess I was wrong about it not being publicly available they must just not be saving the file locally any more.

                    Comment


                      #11
                      Just recently installed HS3 on new hardware and saw the aforementioned feature with V313. Main HS3 boxes are running V297 and install text is still there.
                      - Pete

                      Auto mator
                      Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                      Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                      HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                      HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                      HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                      X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                      Comment


                        #12
                        Originally posted by zwolfpack View Post

                        Note that each of these is hit whenever the 'Update Listing' button is pressed.
                        Just a side note. I do not have any inbound ports open at all. I VPN in behind my FW as Pete mentioned.

                        Also, I just upgraded to latest version, let HS send its telemetry data to all the 3rd parties and left my outbound open. IP/any/any. Then I locked it down and 4 hours later, without clicking on plugin/manage tab or updating listings - HS began to make calls to all the 3rd party web sites again.

                        So it seems as routine non manual intervention is sending telemetry or just routine check for updates. I have not wireshark sniffed it yet to see what is being sent.

                        I am not a tin foil hat guy or anything, just trying to harden my system.

                        Comment


                          #13
                          Here just enjoy tinkering with my PFSense firewall. It's pretty robust.

                          IE: also play with Cisco ASA firewalls. For home though PFSense fits fine.

                          In Linux it creates a cron job to check DNS. Thinking inside of the Homeseer application it internally runs a check on updates. You can see errors in the HS logs if it doesn't get to the 3rd party websites. It really is only 3-4 of them anyways.

                          Not sure on the type of firewall you are using. Here still utilize Sniffer Pro but mostly just check on the PFSense logging.

                          Last year drove out of town and stayed in a hotel. I configured on HSTouch tabletop to run VPN IPSEC back to the mothership via my T-Mobile LTE mobile wireless tether. Worked great and the tunnel stayed up all night. Noticed here now with PFSense that I need to tickle the LTE connection to keep it up.
                          - Pete

                          Auto mator
                          Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                          Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                          HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                          HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                          HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                          X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                          Comment


                            #14
                            I use a Fortinet Firewall. Been playing with SSL inspection, it can do application DPI, av scanning, IPS, anti spam, content filtering other next gen features.

                            As I watch the logs it is interesting to see how much telemetry data gets sent to Facebook, twitter, microsoft and others just for general browser use. Some stuff is impossible to block as you basically break the ability to use it. Other newer apps are well written for cloud native.
                            Not sure why microsoft needs to send telemetry data all over the world.

                            When I saw data being sent to other countries from homeseer, I started checking into it. It is probably update data. It tried exactly 4 hours after I blocked it, but has not tried again in the last 14 hours, so maybe as zwolfpack mentioned its only when click on update listings or navigate to the plugin page.

                            <UPDATE>
                            Scratch that, automated update happened again this am without intervention
                            </UPDATE>
                            Last edited by charlesmbell; April 18, 2017, 07:22 AM.

                            Comment


                              #15
                              Here relating to tweaking / modding Windows 10 to make it lighter ended up removing almost greater than 100 MS links built in to the software. That said the cloud connectivity would keep coming back sort of being built in to the OS.

                              Personally here can but do not get in to detailed monitoring as I know it is there with whatever ISP I use. I see this mostly using T-Mobile. It is more transparent with CC.


                              These days only solution is to use a VPN service or relating to browsing the internet using Tor.

                              As mentioned earlier I only whitelisted 3 international update sites that HS was using for updates.
                              - Pete

                              Auto mator
                              Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                              Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                              HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                              HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                              HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                              X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                              Comment

                              Working...
                              X