Attacks: Difference between revisions

Introduction

There were some unsuccessful attacks on the services on the Home Lab server. The primary cause of the attack was that RDP access was made to Walnut.

Cause

The principal cause of the attacks was that a DNS name for Walnut was made on Cloudflare as DNS only. This would have exposed the actual IP address of the Home Lab, in itself that would not have been a problem except there was some reference to port 19000 being used for RDP to Walnut. Even that would not have been so much of a problem if Pfsense had been set to drop everything from outside the LAN. Unfortunately, TCP port 19000 was exposed to the Internet and when it was probed the attacker would have had a response from the RDP server on Walnut. At the same time the attackers would have been able to get the IP address of Walnut. So the attacker would now know that there is a server and RDP port, that is enough to start probing.

Impact

As soon as the IP address was known there was a constant stream of connection attempts on random ports directly at the IP address. At the same time the attackers were endeavouring to locate as many other sub domains that could be attacked so the wpad.seaoffate.net was probed every few hours to try and get a sitemap. The variations of a mail server were probed for a time and other similar DNS names were queried but as none of them actually existed there would have been no IP address returned from Cloudflare. So any bots that were querying non existent domains would have no real impact on my internet connection.

Resolution

Moving Forward