Advice to protect my private LAN from outside threats (My lan is NOT your lan 😉)

[CharleyVarrick 276]

A quick roundup of my "simple" setup.

From ISP: all in 1 modem router and a switch

Our stuff: 2 smart phones, a tablet, 6 Win10 computers (1 wifi laptop, 5 wired desktop). They all see each others by shares.

My Emby server holds a significant and very precious media collection I've been building upon for 20 years. its running all day, and  I usually power it off by bedtime.

One of my other desktop is a hardware clone I use for bit for bit backup; this one is powered on for only the short time required for bi-weekly differential backup, and is then shut down.

 

I considered remote sharing my Emby with a friend, but never went ahead because of security concern. BTW, I'm OK keeping it this way. And I do not wish or need to access my stuff remotely.

In the last 20 years, I tried quite a few free antivirus, most of them being too intrusive or heavy handed to go for pro versions. I switched back to Windows defender a couple of years ago.

I am satisfied by its low footprint and non intrusive behavior. I realize it may not be everyone's first pick.

 

With all that's going on with foreign country attacks we hear/read about on a daily basis, I am lacking peace of mind that I have sufficient protection from outside prying eyes/threats.

Apart from erring on the side of caution, what do you suggest to protect against worst case scenarios like ransomware and what not ?

 

EDIT: I make it a habit to reread my post to find typos/mistakes, and I realize my last question is way too vague.

Considering all of the above, my specific setup and concerns, what should be my immediate priorities  ?

 

 

Edited March 6, 2021 by CharleyVarrick

[mastrmind11 717]

only open the ports you need.  then install fail2ban, problem solved.

since you mentioned you're windows, i believe the windows variant is called wail2ban.

you might also consider adding a more robust router behind your isp supplied router that has geoip filtering.

Edited March 6, 2021 by mastrmind11

[rbjtech 4222]

Unless you have opened up your network to the internet (ie opened ports) then your biggest threat is actually from the inside out - and by this I mean ransomware.

The only real protection against this is OFFLINE periodic tested backups.  Yes there are products out there which detect ransomware - but in all honesty, if you did get 'caught' would you really want to trust any part of your system ever again ?    My view is no - I would wipe the lot and restore from a known good backup.

Good advice on replacing the ISP router - but then you get into the world of proper firewalls (all traffic in and out), threat management (IPS/IDS), VLAN network segmentation etc - the list goes on - but it goes back to the main point, if you have no 'holes' in your firewall/NAT in the first place - then there is little point doing this as the risk is extremely low to begin with. 

To answer your question - 1) Ensure you have good backup's, they are tested(restored) and work, ensure they are offline.  2) I would do an scan of your network via the likes of a free port scanner (grc.com etc) and see what it can find.  If it finds nothing, then your perimeter defence is in good shape.  3) Chill knowing you have done more than 99% of the users on the internet ...

 

Edited March 7, 2021 by rbjtech

[Guest]

My Experience in the past has been with systems going back to the 90's, and fighting EVERYTHING. I am not going to divulge how extensive my knowledge goes. Your main question here seems to approach several different points of exposure in what would be considered the attack surface including the server in question.. Emby. There is a myriad of useful tools. The fact that I span times which have long since passed you may wind up with a lot of information...

Ex.. It can be said that any said individual can ( through a combination of methods- on any system )... obtain your user account/password, change configuration of said system/devices/router, and ( yes even remotely ) obtain other user credentials, execute code on said system and have full control of someone else's life.

Always plan around what you think is secure with thought given to human fallibility ( Yes even Microsoft, Apple, and Linux Devs make mistakes. All human and all writing code for improvements with variables between them all ) <-- still love the Devs but.. hardening the attack surface if it were is smart. 0 day is a good term to think about.

I run a computer that I can basically be throw away, buy another one install a few programs and apps and move on without data loss, besides credentials.

A good place to start would be a scan with Tenable Nessus without security in place; without the internet  unless needed, to your router- . It will scan all devices connected to your network and test them for vulnerabilities. The report for each one will give you the information you need to make changes which can help harden the attack surface against issues if certain things happen; limiting the attackers ability.

I recommend ESET Smart Security, used it since version 2. Highly configurable, detailed, small footprint. I currently am not using it because of money. (I too am on Windows Defender) Running a server you can see the traffic and filter IP’s but once you set rules to allow traffic it may be harder to protect, but we do this in layers like I was saying. It does monitor some requests/URL’s but.. I find Windows Defender lacking a proper way of notifications and while it has nice options ( some inclusive of protecting against Ransomware ) can have a heavier footprint. ESET has always been my personal option because it allows more user configuration/customizing with the protection it offers and immediate notifications still has a low impact on the system. ( Love exporting settings )

I also use PeerBlock 1.2 for filtering with lists and a subscription from iBlocklist. One of your concerns was the attacks we have gotten from other countries, and the program does allow for blocking of certain countries/entities as well as known nefarious IP’s. Mine currently blocks about 2.5 Billion addresses connected and logged as nefarious. People do use Tor, however this does help with those things.

I used to run about five or six different servers on my laptop. The main was Apache HTTP Server, using something like the 5G, 6G Firewall/Blacklist kept a ton of request from ever being effective, and could bounce the load right out of the system to somewhere else (blackhole/timeout).The thing with a server is if it accepts various commands or requests with; of course, various different modules/options enabled. So, in essence my point here would be that you can do a lot of things but if Emby allows someone in, OR if your server itself is not configured or protected in the way that it is structured, then you have a problem. I have never run these checks on Emby, a statement about its security is not being made here but rather made a point to help with legitimate focus when thinking/considering security. This too has to be addressed as normal, per unit/device… with thought given to the attack surface and exposure even behind the internet (intranet/home network) such as your admin console, shares, OS updates, Wifi security… if in fact security would be broken in the chain allowing access. (Starting with internet or user triggered exposure leading to access/attack using elements present or commands executed using those protocols)

Making sure your admin account has a non-average username and generate a password which is going to be hard to hack, one not relative to self or accompanying life aspects…  Ex.. 7AF4_306d0aDAf503b71@F0/~ <-- notice- no phone or house number, pets names, family names, social security numbers, color, things from your past; so on.. Make sure all accounts are configured to only allow certain aspects with no ability to change their settings. Do not allow even the admin account manage/change/delete your data when not needed ( just in case a call can be requested to execute a command as that account ).

Always address security for your router in your admin console. Keep your admin console offline or not exposed to access from somewhere else, usually settings for this. I have an R8000 with a lot of nice options, including sandboxing Guests on the network. Updates all of it. NAT firewall is always a must, port forwarding is always preferred to DMZ enabled in most cases but a DMZ enabled system will take the brunt of those requests… so its protection can be key in protecting your network and connected devices. Depending on your thoughts to final configuration and systems it still can be an option.

Personal computers have a lot of considerations when it comes to thinking about options and security. BIOS protection is nice, especially with drive encryption. Your computers should have password protected shares. Separate passwords for everything. Usually once passwords are entered they are able to be accessed without re-entering those passwords and accessible by a system with that authorization ( such as network drives ). Local Security Policy comes to mind when it comes to End-Point Security..

Offline backups and RAID is a nice option, can be costly but if you can, a good idea. They can be resource intensive nonetheless. BitRot Protection is a good idea with snapshots for your archive, and good maintenance practices as needed; such as Scrub, Defrag, and Balance on my NAS. Enterprise Hard Drives tend to have a longer life and are geared toward large amounts of data ( usually warranted for a billion read/write cycles ).

Last but not least, prying eyes/sensitive data.. only a few things really and its more encompassing than you may realize. I became comfortable with online accounts, having ‘Cloud Services’ and using credit cards online.. times change. This last year or two has become more and more nefarious online. I have good practices online and limit information exposure. My facebook account was hacked and destroyed last year ( with a page created with a Russin letter title ( Cy--something with some blond in a cheerleader outfit ) --after a good 12 year run, my bank account ( which is owned by JP Morgan Chase ) had MULTIPLE attempts from someone trying to hack the user account (which they obtained) and password ( which they did not ). My bank account was then drained using PayPal ( I will not even go on about PayPal right now- kill it if you have it ). That being said, I would suggest backing away from all areas, deleting unnecessary accounts, maybe even pulling your online data off the servers and creating an external offline device for backup. ( I even used to pull my EHD’s out of my NAS and put them inside a FireSafe protected up to 15,000 degrees F. ) I advise that sort of thing for each person and their individual files and data. It is nice to live in a world where we have a point of convenience and sharing amongst us of our lives and media and a presence of the Human Factor online, all over the globe with some many subcultures and different people, even extending our services and places we work, the last two years something else has reared its ugly head and unfortunately it seems to be that we have to step back from that idea for awhile to keep ourselves and our now smaller digital lives safe from vandalism, theft, and harm. Even aspects of being open with who we are and our personal identities seem to be used against us no matter how small. We can’t even use the conveniences given to us by our developers, app, or devices in some cases. We can’t control what happens in other places/servers, even if we address the laws and bills going across the table. There is always something or someone, or a failure.. something broken..

Those are my ideas on the matter. It sounds like you have to be BlackHat/WhiteHat.. maybe it does.. digging into it that way and giving them no final say on what exists, seems to be the only way I have piece of mind, going back probably 17 years or so. Knowing I cover it, done the research is the best.

Another book.. I should stop.. and I didn’t start about the smart phones.. or even being hacked from satellites/cellular, or infected from apps… even adware/adware servers and their safety issues… bloatware for clicks p/sec..   - Do not forget about those phones though and the tablet.. any point of circumvention. Their safety is key to.

Hope it helps... there is no simple answer, nor no one way..

Edited March 7, 2021 by Guest

[CharleyVarrick 276]

Thanks everyone,

my last a/v (before Win Def) was Sophos Home. I liked it a lot but near the end, I experienced a weird and difficult pc problem and I found out only after ruling out a hundred other things, that it was caused by Sophos, that was over 2 yrs ago, Sorry, don't remember the specifics.

 

[Guest]

Some of those programs address Security Configuration sometimes locking files and folders from modification and access, as well as rights for various different elements. WAAAAAAY back like forever ago there a standalone program from Sophos that had options you could go through and check off, that caused some of those types of problems too.. Might be the same type of situation. 

Had this happen more recently with rights to my temp folder... odd but a bad/good idea maybe with some oversight on implications.

[CharleyVarrick 276]

From Emby Dashboard, is there an option somewhere (within Emby) to disable WAN access altogether.

I've looked at Connection Help but its aimed at enabling or fixing it.

In Dashboard/Server/Network/ I see this option at the bottom, would that do the trick (and would it cause any unwanted side effect).

Sorry in advance if my question looks stooopid, I always proceed with care and caution when threading into lesser known paths..

EDIT: Reminder, I have no external users, and I have no need or desire to access my own emby from the outside

Edited March 8, 2021 by CharleyVarrick

[CharleyVarrick 276]

21 hours ago, rbjtech said:

Good advice on replacing the ISP router - but then you get into the world of proper firewalls (all traffic in and out), threat management (IPS/IDS), VLAN network segmentation etc - the list goes on - but it goes back to the main point, if you have no 'holes' in your firewall/NAT in the first place - then there is little point doing this as the risk is extremely low to begin with.

By holes in firewall/NAT, you mean port forwarding ? The ISP's modem/router combo user gui does offer the feature, but as you might have guessed, i have not enabled it

[rbjtech 4222]

1 minute ago, CharleyVarrick said:

By holes in firewall/NAT, you mean port forwarding ? The ISP's modem/router combo user gui does offer the feature, but as you might have guessed, i have not enabled it

Yes,  only open the ports you need - if you never need to access your system externally (I believe you said you do not share your emby system?), then you should have no ports open.  This is where the port scan will confirm what you have open.  Also ensure uPNP is OFF/DISABLED on the router. 

[CharleyVarrick 276]

Thank you @rbjtech

I almost missed the grc.com link in your previous response. In the early 2000's,  I was a self proclaimed security fanatic (SpywareInfo forum regular user turned contributor) and among other thing in my arsenal, I was using Steve Gibson's utility. Years have passed very quietly and my concerns were set aside.

 

I've runned all its security app.

1) just disabled UpnP ! It was enabled for some reason (?)

I've disabled UPnP and redone the test, all good now !

 

2) I'm failing the Leaktest

I went in ctrl panel / Windows firewall and reset it to default (good thinking ?)

Still failing, is this because Windows firewall default settings are crap ?

The defaults being:

Firewall: active (hopefully )

inbound: block all that don"t correspond to a rule (that seems just right)

Outbound: allow all that don't correspond to a rule (that doesn't look right)

For outbound its either allow all or block all ( I was expecting a 3rd choice "prompt / ask)

If not, I suspect the isp router as culprit and had a good hard look at its gui for vulnerabilities

The isp router GUI is ultra-dumbed down, not much good info to get from it;

I do not see any port forwarding, but I am offered to add one if needed)

Without naming my isp, we use local flavor of Comcast Hardware, in my case Technicolor Xfinity XB6

 

 

3) As per GRC main course, Shields Up, I also get a Failed result

Both sollicited and unsoliicited packets test Passed, but I failed the Ping Reply test

Back in the days of using my own router, I was passing this test.

I may be wrong but I believe this is common when using isp modem/router, so tech support is able to remotely have a look when problem arise.

 

 

 

Edited March 8, 2021 by CharleyVarrick

[rbjtech 4222]

1 hour ago, CharleyVarrick said:

2) I'm failing the Leaktest

Outbound: allow all that don't correspond to a rule (that doesn't look right)

This is a pretty standard setup for most users as any traffic initiated from within your own network should, generally, be regarded as safe.

Personally I have f/w rules for both inbound and outbound - but it means a lot of work getting things to 'work' beyond the standard ports - think consoles etc - all will need bespoke rules.  Unless you have a test network, have time to get it right and maintain it and know what you are doing , then I would avoid blocking outgoing requests by default.

1 hour ago, CharleyVarrick said:

 

3) As per GRC main course, Shields Up, I also get a Failed result

Both sollicited and unsoliicited packets test Passed, but I failed the Ping Reply test

If you are using the ISP supplied router, then unless there is a setting to turn of the echo reply, then there is nothing you can do about this as it's the WAN side that is replying.

ICMP in itself is not a danger, but you are advertising to the world that you are there - why do that unless you have to - It is far better to stay silent.

 

[CharleyVarrick 276]

1 hour ago, rbjtech said:

Unless you have a test network, have time to get it right and maintain it and know what you are doing , then I would avoid blocking outgoing requests by default.
 

Ha ha Got you ! I'll leave this one alone (it reminds me of Zone Alarm back in the days, the first few hours of use you were carpet bombed by alerts left right and center)

1 hour ago, rbjtech said:

If you are using the ISP supplied router, then unless there is a setting to turn of the echo reply, then there is nothing you can do about this as it's the WAN side that is replying.

 

The router interface does not even mention uPnP, much less ping reply. In the "advanced mode" area, I saw a notice that "some features you might be looking for are automatically managed..." Lowest denominator is the rule these days, it seems.

 

Thank you for your replies !

[CharleyVarrick 276]

5 hours ago, CharleyVarrick said:

From Emby Dashboard, is there an option somewhere (within Emby) to disable WAN access altogether.

I've looked at Connection Help but its aimed at enabling or fixing it.

In Dashboard/Server/Network/ I see this option at the bottom, would that do the trick (and would it cause any unwanted side effect).

Sorry in advance if my question looks stooopid, I always proceed with care and caution when threading into lesser known paths..

EDIT: Reminder, I have no external users, and I have no need or desire to access my own emby from the outside

I unchecked "allow remote connections to this Emby Server", thinking if it caused any issues, I would simply check it back on.

My car exploded in the driveway, but apart from that, all quiet.

Seriously, I do not see anymore the Remote WAN access IP in Dashboard, kinda like its darker when I flip the light switch off.

[katbyte 21]

You should also do what you can to lockdown the endpoint you present to the world and get SSL setup so your passwords are not sent plaintext. I use a unifi gateway with IDS/IPS that drops incoming connections not from my country (canada), traefik reverse proxy with a lets encrypt SSL cert that drops anything not going to the emby hostname (which also runs in a docker container)

[Guest]

5 hours ago, CharleyVarrick said:

I unchecked "allow remote connections to this Emby Server", thinking if it caused any issues, I would simply check it back on.

My car exploded in the driveway, but apart from that, all quiet.

Seriously, I do not see anymore the Remote WAN access IP in Dashboard, kinda like its darker when I flip the light switch off.

I was going to say this should make Emby unresponsive to request from outside your Home Network DHCP.

In my R8000, under Advanced Tab>WAN  there are several traffic shaping options..  respond to ping seems like it should be in the admin console on your router/modem

 

EDIT: Windows Firewall Notifier   may give you a little more active control with notifications as well, to jack in and use n conjunction with the Windows Firewall. Watch those port numbers and where they are being requested from too.

EDIT2: You can disable uPnP on each system as well by disable the Service... It is used in Network discovery there are quite a few things to think about when it comes to changing your protocols.. and ways to harden those areas against circumvention.. a little study online would actually render quite a bit of information depending on your OS and version, and desired needs for your home network. You may wind up reconfiguring the whole thing between all five systems in a safer manner. ( disabling certain services in favor of others )... This can get pretty detailed.

Edited March 8, 2021 by Guest
added a line