Reply

Defending Against External Attacks SRK60

jimr17
Follower

Defending Against External Attacks SRK60

SRR60 - Firmware 2.6.2.200 

 

In reference to an issue where the log shows external IP's are making frequent (sometimes multiple times per second) requests to access an open port (I presume to try to hack the password)
See https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Blocking-inbound-traffic-by-IP-address/m-p/1... for a similar problem and a good summary of what I'd like. 

 

Background 

I have a few ports open (A, B, C are nonstandard ports that forward to the standard port for the app that responds to those requests on that computer (e.g. B goes to 3389-RDP standard port) 

 - Port A to Comp1 for a Plex Server

 - Port B to Comp 1 for RDP access

 - Port C to Comp 2 for RDP access
 - A RANGE of ports to GRANDSTREAM device for IP phone functionality 

 

I have noticed various Russian IPs, Amazon Web Services from Ireland, and some other IP's trying to get into port 3389 having discovered that Port B is forwarded to 3389 on Comp 1.

 

I am a small office with 3 computers plus an IP phone (which I may change to a service like phone dot com or something) with limited funds. I have a Dell SonicWall TZ400 a friend gave me sitting in a drawer (because my understanding was that it had monthly or annual fees). 

 

Solution (Short Term) (already implemented)

- I removed that Port forwarding from B because I rarely need to remote access into my Plex Server anymore. So it stopped the requests per the router log on ORBI Pro Router
- I left Port C forwarding to 3389 on Comp 2 and Port A to the Plex Server port
- I went to Windows Defender on Comp 1 and Comp 2 and blocked IP ranges (did the entire range even though attacks were coming from a few IPs not all of them)

  • 63.34.0.0 -255.255
  • 194.61.0.0 -255.255
  • 5.188.0.0 -255.255
  • 185.153.0.0 -255.255
  • 87.251.0.0 -255.255
  • 94.232.0.0 -255.255
  • 162.125.19.130 (dropbox IP but the log entry was unusual so I blocked it)

Options for Next Steps I see 

  1. Just wait and monitor logs to see if new IP ranges try to attack me
  2. Connect SonicWall between ISP and my router - Use it without subscription and manually block IPs using the tools it has (my preferred solution) 
  3. Connect SonicWall and subscribe to their 2 or 3-year service at $333 or $310/year (respectively)
  4. Connect SonicWall, subscribe to service, set up a VPN, only allow access through the VPN, hire him to manage the network, etc (recommendation of the IT guy for my friend (that gave me the SonicWall). Seems a little much for a small office like mine, since I am competent enough to manage my own network and it's small. 

Request/Questions

Can the SonicWall appliance work well for a small office like mine without subscribing to the service (option 2 above)

Can hackers use the open ports that are going to the Grandstream IP Phone router device to gain access to the computers on my network?

 If yes - should I switch to a pure IP phone solution that doesn't connect to a local telecom provider/helper?

Are the ranges I used too broad? (i.e. am I likely to not be able to access some websites because I used broad ranges - particularly the Ireland Amazon Services one). 

 

Thanks in advance for any help you may be able to give!

Model: SRK60B03|Orbi Pro Tri-Band Business WiFi System
Message 1 of 1
Top Contributors
Discussion stats
  • 0 replies
  • 240 views
  • 0 kudos
  • 1 in conversation
Announcements