... And Ransom ware... Rrrrrrr

January 12, 2019

White listing IPs isn't a great option. I connect from a mobile network quite often, and the IP changes. If you have static locations, that's fine, but doesn't work for general use.

White listing isn't a convenient option but it's still one of the best because it narrows the attack vector from the entire Internet to just those IP addresses you are allowing. The next best option is going to be a VPN. I'd probably just run a VPN server on whatever server Emby is running on and then only allow incoming VPN connections on the router ACL. It still exposes the Emby server to the public Internet but only on the VPN port which will require authentication/authorization in order to use. Ideally the VPN endpoint would be on a firewall but good options will be expensive and aren't typically seen in a home environment. The inconvenience here comes in when setting up the device and server to communicate but that should be a one-time thing. You could set it up so that it's only for Emby or that all traffic is routed to your home and out your home Internet connection which isn't a bad idea for less than trustworthy public wifi services.

I suppose another option would be to use a VPN service with a dedicated IP address and then only allow incoming connections from that IP address.

Edited January 12, 2019 by mlcarson

January 12, 2019

White listing isn't a convenient option but it's still one of the best because it narrows the attack vector from the entire Internet to just those IP addresses you are allowing. The next best option is going to be a VPN. I'd probably just run a VPN server on whatever server Emby is running on and then only allow incoming VPN connections on the router ACL. It still exposes the Emby server to the public Internet but only on the VPN port which will require authentication/authorization in order to use. Ideally the VPN endpoint would be on a firewall but good options will be expensive and aren't typically seen in a home environment. The inconvenience here comes in when setting up the device and server to communicate but that should be a one-time thing. You could set it up so that it's only for Emby or that all traffic is routed to your home and out your home Internet connection which isn't a bad idea for less than trustworthy public wifi services.

I suppose another option would be to use a VPN service with a dedicated IP address and then only allow incoming connections from that IP address.

I've got something similar on my pfsense. But I've added some twists. I still need it to be flexible, so I still don't create lists. I've just got rules behind rules.

January 13, 2019

White listing isn't a convenient option but it's still one of the best because it narrows the attack vector from the entire Internet to just those IP addresses you are allowing. The next best option is going to be a VPN. I'd probably just run a VPN server on whatever server Emby is running on and then only allow incoming VPN connections on the router ACL. It still exposes the Emby server to the public Internet but only on the VPN port which will require authentication/authorization in order to use. Ideally the VPN endpoint would be on a firewall but good options will be expensive and aren't typically seen in a home environment. The inconvenience here comes in when setting up the device and server to communicate but that should be a one-time thing. You could set it up so that it's only for Emby or that all traffic is routed to your home and out your home Internet connection which isn't a bad idea for less than trustworthy public wifi services.

I suppose another option would be to use a VPN service with a dedicated IP address and then only allow incoming connections from that IP address.

if your running Windows check out Softether (Made by Japanese uni and fully featured and free) and supports IOS Android windows VPN clients etc.

January 13, 2019

White listing isn't a convenient option but it's still one of the best because it narrows the attack vector from the entire Internet to just those IP addresses you are allowing. The next best option is going to be a VPN. I'd probably just run a VPN server on whatever server Emby is running on and then only allow incoming VPN connections on the router ACL. It still exposes the Emby server to the public Internet but only on the VPN port which will require authentication/authorization in order to use. Ideally the VPN endpoint would be on a firewall but good options will be expensive and aren't typically seen in a home environment. The inconvenience here comes in when setting up the device and server to communicate but that should be a one-time thing. You could set it up so that it's only for Emby or that all traffic is routed to your home and out your home Internet connection which isn't a bad idea for less than trustworthy public wifi services.

I suppose another option would be to use a VPN service with a dedicated IP address and then only allow incoming connections from that IP address.

I approached the problem from the opposite perspective. I want to “actively block suspicious or malicious activity” instead of “allow any traffic from a small subset of sources”.

Here, I do have a vpn for admin use. I have found the other members of my family are not savvy enough to remember the process to access internalresources. To that end I have implemented:

1. An IP blacklist to blocks traffic between my network and known malicious sources.

2. Implement a DNSBL that blocks requests to known advert domains, and known malicious domains.

A. Force all local network clients to use the DNSBL. Block all dns and TLS-dns queries to the public Internet outside of your DNSBL server.

3. Active IDS. Here, I like snort but it takes a good deal of rule development and good hardware.

4. Proper web-filtering of local client traffic to the public Internet. I like squid but have been considering adding in a Sophos system in line between my PFsense firewall and modem.

5. End point protection - here I use webroot on my client computers. My feeling is that if webroot catches something I have done something seriously wrong.

6. I also don’t allow regular users to have admin privileges. This includes the account I regularly use on the network. I have 2 separate admin accounts that I can use to admin my network and servers.

7. Segregate traffic by type of device. My network is divided into 4 VLANs

vlan 1 - 10.0.1.0/24 - Network equipment. Minimal access to network equipment management interfaces granted to VLAN 2 and 4. Only the firewall has vlan interfaces with IPs on all VLANs. This forces intervlan traffic to pass through the firewall’s internal physical interface.

vlan 2 - 10.0.2.0/24 - trusted client devices.

vlan 4 - 10.0.4.0/24 - servers (nas, vm servers hosted on my ESXi server). Explicit rules for access to internal resources to other trusted VLANs.

vlan 172 - 172.16.0.0/24 - Untrusted client network. Encrypted WiFi. Internet only. Limited local network communication (DHCP, DNSBL, access to internal resources through reverse proxy)

vlan 192 - 192.168.1.0/24- Untrusted client network. No Internet access. Limited local network communication (DHCP, explicit access to internal resources through firewall ACL (ex: security cam to NVR)

8. I have been moving as much as possible to Radius authentication (vpn, WiFi, etc) recently I have added a microsoft domain controller and will be moving all windows equipment to it. I then will tumor my radius service to the domain controller for authentication. I have also stood up a syslog server and have been setting up logging on all systems to that system in order to further my ability to see out of normal behavior.

9. Automatic blocking of brute-force attackers. I have had a hell of a time getting this working reliably in windows. Having to programmatically parse the log for failed login attempts and then adding bad sources to the ip block list on the firewall is difficult to say the least. This is a major part of the reason I moved my Emby server to Linux.

Sent from my iPhone using Tapatalk

Edited January 13, 2019 by Tur0k

January 13, 2019

I'm just about at the point that I should consider creating VLANs. As I'm the only one with direct access, I haven't worried about it. As I diversify more and more, I should probably start using them.

January 14, 2019

I'm just about at the point that I should consider creating VLANs. As I'm the only one with direct access, I haven't worried about it. As I diversify more and more, I should probably start using them.

Yea, I have always been a bit worried with all the suspicious traffic I see on firewalls. As organizations and industries lock themselves down the insecure home networks will be a growing battleground for tech security.

I always find it peculiar when I see a all of blocked traffic on my VLANs from IOT devices to my firewall, network nodes, and the public Internet.

Sent from my iPhone using Tapatalk

Edited January 14, 2019 by Tur0k

January 14, 2019

Yea, I have always been a bit worried with all the suspicious traffic I see on firewalls. As organizations and industries lock themselves down the insecure home networks will be a growing battleground for tech security.

I always find it peculiar when I see a all of blocked traffic on my VLANs from IOT devices to my firewall, network nodes, and the public Internet.

Sent from my iPhone using Tapatalk

It's definitely concerning

Sign In

... And Ransom ware... Rrrrrrr

Recommended Posts

mlcarson 13

Link to comment

Share on other sites

Guest asrequested

Link to comment

Share on other sites

PrincessClevage 173

Link to comment

Share on other sites

Tur0k 143

Link to comment

Share on other sites

Guest asrequested

Link to comment

Share on other sites

Tur0k 143

Link to comment

Share on other sites

Guest asrequested

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Activity