Preventing hack attacks

when you have a VPN and close your current port forwarding, someone would need to break your VPN ... to get into your network. Hence I consider this as quite safe.

At least 100 points better than a port forwarding.

1 Like

So you recommend to insert an esp32 between the router and my home lan? and make the requesrs to this thing? How would request be forwarded? How the response would get back to my phone?

That would need to be developed.

The ESP32 would basically be the face of your DMZ to the outside world (the one being under attack) but it can handle HTTPS so it's better than HTTP.

the VPN is a good option too

Another is to have a server (MQTT for example) outside your home that your home connects to and this way you don't allow random incoming connections, they are all initiated from your network to the Internet. No need to poke holes.

Ill have to study this solution. New and unknown to me

Thu. prev Thursday at 15:13 I cycled the fiber adapter and got a new IP. Since then, no attack. It seems that once the attackers have a reply on a connection they "lock" to it. 12V power cycling at 01:00 upon attacks may be automated

what you consider an attack might just be a web crawler trying to index your web site.

but then, why should it scan all ports? why aren't they hitting only port 80 (where web servers reply) only?

OK - indeed Harmless internet bots typically do not scan all ports indiscriminately

people can expose any external port and forward it to internal port 80.
for example 8080 was often used on proxies.
So from an attack point of view it makes sense to scan more than just the well known ports.

first I am pleased to see that still 0 attacks since 11 jan 24 15:13:00 where IP changed bt cycling the optical adapter power

here, as an example, the attackers of the 'barn' ino. Its port is above 50000 and is immediate successor of the 'home' ino port. Times are Jerusalem. Clearly, the bot is able to changes its own IP
|05-Jan-2024|15:09:47|45.227.254.49|
|05-Jan-2024|21:54:41|35.203.210.241|
|06-Jan-2024|12:07:05|80.66.88.215|
|06-Jan-2024|17:09:09|45.227.254.49|
|07-Jan-2024|13:04:52|194.165.16.73|
|07-Jan-2024|17:48:22|194.165.16.10|
|08-Jan-2024|13:36:04|45.227.254.49|
|08-Jan-2024|18:19:44|194.165.16.76|
|09-Jan-2024|13:54:49|45.227.254.49|
|11-Jan-2024|10:10:34|194.165.16.73|
Submitting this last IP to abuseipdb I get

194.165.16.73 was found in our database!

This IP was reported 18,611 times. Confidence of Abuse is 100%:?

100%

ISP FlyServers S.A.
Usage Type Data Center/Web Hosting/Transit
Domain Name flyservers.com
Country Belgium
City Brussels, Brussels Hoofdstedelijk Gewest

As said before, changing the ip, simply by cycling the optical adapter did stop the attacks... for ~25 days(!). They started again the 6th and the 7th. Changed the IP again and no attacks today.

It's a viable solution but, obviously, no attack at all is better and i'd be grateful if someone here could tell how using a VPN should stop all attacks. I must admit i only have basic networking notions. Should this VPN stop my problems it'd be worthwhile to dive into it. Of course this solution could benefit most Inet connected arduino users. Thanks!

It is used to provide a device with remote access to a private network. A point-to-point VPN architecture typically involves two endpoints: a client and a server. These endpoints authenticate each other and establish a secure, crypted tunnel for communication.

In practical terms, a VPN server is set up to handle incoming VPN connections. It could be a dedicated server or a virtual machine running VPN software. The client device (iPhone in the graphic) establishes a secure connection (VPN tunnel) to this server. Once the connexion is established, it's as if the iPhone was within the local private network and so can access the local resources.

➜ if the endpoints can't authenticate, you don't have the tunnel and this can't access the local resources


side note: VPN servers are critical components of network security infrastructure, and they can be targeted by various types of attacks like flooding the sever (Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks) or trying to guess the password through brute force attack or (depending on your VPN software) exploiting some vulnerabilities...

I was searching for an IP that was blocked by my Unifi UDM firewall, looks like you and me both, and im wondering how nobody menthined that you could use a user friendly firewall like the one that im using. it auto blocks those attacks, and those attacks are very common, I get more than 100 attacks blocked per day.

Interesting! How does it know it's got to block an incoming connection?

Smart firewall systems use a rule based engine.

➜ You can provide rules (based on various criteria such as range of IP addresses, Protocol type, direction of the communication, source or destination of the traffic, ...) and when a packet matches a rule that specifies "block this", the firewall will drop the packet which will hence never reach your machine, effectively "blocking the IP".

There are other rules derived from "threat intelligence feeds" — these are data streams or repositories that provide information about potential cybersecurity threats (known malicious IP addresses, domains, URLs, and other indicators of compromise) that are provided by companies like Cisco, Palo Alto Networks, CrowdStrike, ... ,or government (US-CERT, European Union Agency for Cybersecurity), or "Information Sharing and Analysis Centers" as part of their security "threat intelligence services" solutions.

There are a few open source communities feed from projects like AlienVault (Open Threat Exchange) or AbuseIPDB if you want to explore more.

So, one can tell it to scan all abuseIPDB for every incoming connection? Then, the offender, once failing to brake to my ino server, will add my IP to this DB :slight_smile:

Using a W5100?
You can retrieve the destination IP for each socket.

#include <utility/W5100.h>
Serial.println(W5100.readSnDIPR(x));

where x is the socket#. Compare to your block list, then if in the list, don't reply.
Or compare list to legitimate IPs and don't respond to the others.
Just a thought...

Edit: Here is the W5100.h file.

There are processes to ensure the database is not spoiled by hackers.

Surfer Tim! Long time no see :slight_smile: How are you?
I Used to log every offending IP and even add it manually to abuseIPDB (usually IP trying to brake my ino is already reported many times) until I got tired and now I just count and report in ino's daly info mail the hack tentatives as below

Tue 09:02:00 v55, retries 0
--daily report
logs 0
time adjustments 22
V bat 131
night pir activations 3
max night density 1
public IP XXXXXXXXXXXX
Hack tentatives 0
running hours 505
open sensor * <-> open .............
rain height 1
free records 431 / 500
WDOG ENET inet EMAIL sms cloud LOG GATE ALARM NIGHT ARMED away AUTORUN IRRIGATE pir alarm spare15
siren test tank infra slide spare21 spare22 spare23 spare24 spare25 hedge orchard kitchen flowers tube lawn

I'm fine. Thanks for asking! :grinning:
I have been spending time in the FlightGear flight simulator forum helping those who want to interface Arduinos and the like to the FlightGear app.

BTW, I don't think Serial.println() will work with that W5100 code.
W5100.readSnDIPR(x) returns the requesting IP in 4 bytes.
You can compare as many bytes as you want. You can exclude entire subnets.

Edit: I forgot about the remoteIP() function.

void loop() {
  // if an incoming client connects, there will be bytes available to read:
  EthernetClient client = server.available();
  if (client) {
    Serial.print("Remote IP address: ");
    Serial.println(client.remoteIP());
    client.stop();
  }