I run my e-mail server on the same host as my HS. I have valid DNS/MX records and certificate as well. I noticed them from my e-mail smtp logs trying to hijack my e-mail server. This is why I blocked the port. Though, as you can see, they continue to try.

I have many rules setup on my router - mostly China and Russia..

I just sent an e-mail - will see if I get a response.


Robert

EDIT:
Love how these things are kept up-to-date.
2017-07-12 09:17:49.855][DeliveryDaemon-7]Error delivering 15ce6852ff2_MRNW_601-1 to host us-smtp-inbound-2.mimecast.com [207.211.30.181] to addresses [nstadmins@travelzoo.com]
javax.mail.SendFailedException: Invalid Addresses
[2017-07-12 09:17:49.855][DeliveryDaemon-7]Error while attempting to deliver 15ce6852ff2_MRNW_601-1 to host us-smtp-inbound-2.mimecast.com [207.211.30.181] to addresses [nstadmins@travelzoo.com]
javax.mail.SendFailedException: Invalid Addresses

I have the MyHS disabled and I was getting hit all day yesterday. I use no-ip.org to access my HS3 computer remotely.

Ronnie

PFSense here has a free Geoblocking plugin from MaxMind.

The plugin downloads lists of known IP's and subnets which are recorded to be nefarious.

Here is a partial snaphot of the geo blocking going on. Imagine having to cherry pick these IPs.

[ATTACH]62183[/ATTACH]

It gets to be difficult when having to be cherry picking single IPs to block especially when those number over 100 and in to the thousands of IPs.

Noticed similiar with a company using a Cisco ASA and cherry picking IPs to block.

I would see one person spend a good part of his day cherry picking IPs to block.

Cisco does provide a subscription to geoblocking Maxmind tables for their ASA product but you have to pay for the subscription.

Pete,

Are you running PFSense on your own PC or did you purchase a turn-key system. The more I learn about PFSense, the more I'm inclined to go this route as well. Love the plugin...

Robert

I am running PFSense on a DIY'd PC with multiple Intel Gb interfaces today. PFSense is BSD based and today it is very plugnplay relating to the hardware it runs on. I am using a small footprint case with a BCM commercial style motherboard (which had two built in Intel GB NIC cards). I added two PCIE dual server style Intel port NICs to the firewall when I built it. Today you can reduce the footprint with one 4 port server style NIC card.

The multiple intefaces are used for two WAN connections and autonomous interior networks for this or for that. These are physically separate networks. You can also create VLANs on the same interfaces for virtual separate networks.

On the commercial side it is just like any other commercial firewall appliance. You can purchase a product from the PFSense folks and they totally manage it for you.

Been blogging the build and adds to PFSense on Cocoontech for a few years now.

[ATTACH]62184[/ATTACH]

First add was a GPS NTP server plugin for accurate time. Very much baby step wise. Current rendition is using an 32 SSD drive.

You can go less now and run the OS in RAM.

The power supply is a PicoPSU.

As the work load of the firewall increased so did the CPU and RAM increase.

I just assumed they are trying to login with username password. No proof.

Thanks for the update and its good to know that the HSTouch protocol is proprietary. It does seem like whoever was doing this was unable to actually do anything other than establish a basic connection.

I have to disagree with you on this. We now have reports from 10+ users that they all started getting attacked on the same obscure port at the same time by the same IP blocks. There is almost no chance that random scans from the same block of IPs on the billions of addressable IPs just happen to target the same obscure port (most random scans wouldn't even include 10200) at the same time on a widely dispersed set of IPs that all share a common trait, ie HS servers. If it was port 80 or 21, maybe it's a possibility, but 10200, no chance.

Giving the simultaneous timing, the common focus, and the common attack IPs, this looks very much like a focused attack a pre-assembled list of IPs. That doesn't necessarily mean that myHS or Homeseer has been compromised as the attack list could have built up over a period of time by random scans, but it seems very likely that this was not a random scan, but a focused attack based a pre-assembled list of servers that had 10200 open.

I know its tempting to dismiss this as random, but you guys might want to consider the possibility that someone is specifically targeting your user base/servers and trying to find specific vulnerabilities that they can exploit. Maybe they are trying to compromise a very high value target that is running an instance of HS ... who knows.

Net, net, you might want to consider posting a reminder to the broader user base about best practices for firewall and port configuration. Can't hurt in general, and seems like a prudent response in light of recent events.

I know you were addressing Pete...

I built my own pfSense appliance using a Sophos XG Intel appliance. It is the same as this, but I bought mine bare from an Amazon vendor. I added RAM and an SSD and installed pfSense from their latest build.

I first tried a Ubiquiti Edgerouter, but it was really limited. You couldn't easily add an IP reservation without having the device connected. It didn't work with NAT reflection (loopback) and it was too locked down.

I switched to this pfSense solution and couldn't be happier. It is an appliance - it just sits there and works. Configuration is a breeze, expandibility is amazing and the resources are plentiful. It has a number of choices for VPN solutions and supports several DDNS providers.

There are a number of similar appliances you can install pfSense on and they offer some canned solutions of their own. The appliance I built ended up costing me a little less than the one in the link above, but is about half the price and more powerful than the SG-2440 from Netgate (pfSense). It runs at about 8-10 watts.

I even built a pfSense VM running under Hyper-v, then restored the configuration from my appliance to it. I just needed to assign the server NICs to it and it was up and running. Then I parked the VM and went back to the appliance. Now I have a backup plan in case the appliance fails.

It will run on virtually any hardware with at least 2 NICs.

In my opinion, there may be equal solutions to pfSense, but none are better. We were running a Nighthawk R7000 before the switch to the pfSense appliance and 3 Ubiquiti UAP-AC-Pro access points. Every aspect of my network is faster, more reliable and easier to configure. Best move we have made.

Just browsing around, I see that PFSense sells a relatively low cost solution here.

Dumb Question time: If you have an existing router, where do you add this? Inside or on the WAN side?

Robert

I wonder if they just found 10200 open and decided to attack it.
Not sure that they even know what it is? Maybe they think it is a Netcam or something else with vulnerability?

That device was my initial consideration, but I was concerned it might be a little underpowered for my mess. For a normal SOHO network it should be fine and it has a smaller energy footprint.

I turned my R7000 into an access point and relegated DHCP, firewall and routing to the pfSense appliance. WAN to pfSense, pfSense to LAN switch, then the R7000 to the switch. If your router has WiFi and a switch, the LAN side of pfSense can go to that switch.

Thanks that's what I thought. So the heavy lifting is then relegated to the PFSense device...
Yes, my router has WiFI and manages DHCP... I'd be happy sticking to that.



Robert

Yep! And it does it very well.

If you use IP reservations (I use them exclusively) you might want pfSense to handle DHCP as well. Let your current router be an AP. It is so easy.

Add me to the list of folks with attempted attacks beginning yesterday at 6:25am Pacific. The 79 attempts all originate from 185.127.24.103. I just now discovered this was happening, blocked access to port 10200 and the attempts have ceased. I do have MyHS enabled and in use regularly.