Attacks
Introduction
There were some unsuccessful attacks on the services on the Home Lab server. The primary cause of the attack was that RDP access was made to Walnut.
Cause
The principal cause of the attacks was that a DNS name for Walnut was made on Cloudflare as DNS only. This would have exposed the actual IP address of the Home Lab, in itself that would not have been a problem except there was some reference to port 19000 being used for RDP to Walnut. Even that would not have been so much of a problem if Pfsense had been set to drop everything from outside the LAN. Unfortunately, TCP port 19000 was exposed to the Internet and when it was probed the attacker would have had a response from the RDP server on Walnut. At the same time the attackers would have been able to get the IP address of Walnut. So the attacker would now know that there is a server and RDP port, that is enough to start probing.
Impact
As soon as the IP address was known there was a constant stream of connection attempts on random ports directly at the IP address. At the same time the attackers were endeavouring to locate as many other sub domains that could be attacked so the wpad.seaoffate.net was probed every few hours to try and get a sitemap. The variations of a mail server were probed for a time and other similar DNS names were queried but as none of them actually existed there would have been no IP address returned from Cloudflare. So any bots that were querying non existent domains would have no real impact on my internet connection and would be fielded by Cloudflare. As the attackers had discovered the IP address of my home network they let their bots randomly query the various ports but as most ports would have been blocked by default by Pfsense they would have simply timed out. Sadly, they got a response from the RDP server on port 19000 so they tried various different passwords to try to login because RDP is known to have server. Other ports were scanned in a random fashion at the same time. As soon as it noticed that the network was under attack there was a full review of the rules in place on Pfsense and things like the port forward rule for 19000 to walnut were changed so that the only packets that would be accepted would come from the LAN and everything else would be dropped. To be sure there was not much that needed to be changed radically. One slight change was to have all webservers only accept incoming traffic if it came from one of Cloudflare's IP addresses. Personally, as Ip addresses can and frequently are spoofed there is limited value in adding rules concerning IP addresses that are on the WWW but it is the recommended best practice and it will do no harm and it could, maybe mitigate some future attack. All of the other rules were written properly and limited access to LAN only where appropriate and needed no change.
