Web attack on my BI Server???

[tomgru]

Hello..
My router is telling me that my BI server is "detecting suspicious networking behavior and preventing my device making a connection to a malicious website".

if I check my router logs, i'm seeing like 30-50 of these a day, but with differing incoming IPs.

Security Alert
2018-11-19 06:22:36

External Attacks
185.43.209.239
192.168.1.xxx (my server)
WEB GoAhead login.cgi Information Disclosure Vulnerability

I'm assuming this has something to do with my clients maybe, but not sure? I do have port forwarding on for external use.

any idea what this is?

thanks,

tg

 

[looney2ns]

Hello..
My router is telling me that my BI server is "detecting suspicious networking behavior and preventing my device making a connection to a malicious website".

if I check my router logs, i'm seeing like 30-50 of these a day, but with differing incoming IPs.

Security Alert
2018-11-19 06:22:36

External Attacks
185.43.209.239
192.168.1.xxx (my server)
WEB GoAhead login.cgi Information Disclosure Vulnerability

I'm assuming this has something to do with my clients maybe, but not sure? I do have port forwarding on for external use.

any idea what this is?

thanks,

tg

Huge security risk to use port forwarding, turn it off.
See:
VPN Primer for Noobs
Randy : OpenVPN on a Asus router
How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

 

[tomgru]

Thanks. good advice.
Just to further my learning though... i did notice that these stopped happening when i turned off BI and the BI service. Does that make sense?

 

[aristobrat]

Thanks. good advice.
Just to further my learning though... i did notice that these stopped happening when i turned off BI and the BI service. Does that make sense?

If you have port forwarding setup to your BI server, that lets anyone on the Internet attempt to connect to your BI. There are a lot of scripts that people kick off that go from Internet IP address to Internet IP address looking for forwarded ports. When they find a port that can be connected to, they send all sorts of stuff to it, either trying to figure out what's on the far end, or worse case, they know what you're running and there's an exploit that they can use against it to either crash it or get themselves logged in.

If you're forwarding port 80 to your Blue Iris server, that's one of the most common ports used, and I wouldn't be surprised if all sorts of scripts are finding it and trying to exploit it.

 

[tomgru]

Thanks for this.... worked great!

 

[tomgru]

Following up on this... less attacks, but hoping someone can help me diagnose if I need to anything. this is what i'm seeing now:

Event number : 1

Alert type : Vulnerability Protection

Source : (51.75.125.109)

Destination :
What I don't get is that the destination IP is not something i'd recognize (mine start with 198.xxx.x.x, etc).

Anything I can be doing here?

thanks!

 

[fenderman]

Following up on this... less attacks, but hoping someone can help me diagnose if I need to anything. this is what i'm seeing now:

Event number : 1

Alert type : Vulnerability Protection

Source : (51.75.125.109)

Destination :
What I don't get is that the destination IP is not something i'd recognize (mine start with 198.xxx.x.x, etc).

Anything I can be doing here?

thanks!

I removed the destination IP from your post. That was your own external ip address .

 

[bp2008]

You can probably be just as certain that when he said "mine start with 198.xxx" he actually meant "192.xxx". Why do people insist on making mistakes and typos in the most important technical information?

 

[tomgru]

thanks Fenderman…. appreciate the help there!!!
as for "insist" on making errors... that is a bit rich. Ironically, IMO, forums are for help (like Fendermen provide), and not ridicule.

At least that's why i belong to them... to learn from other experts.

 

[Steven4x4]

You don't want to expose port 80 on your BI Server directly to the public.
1.) Your Username Password can be sniffed out, if you are on a wifi network.
2.) Keep in mind, if you have an open guest network, or allow guests on your network, they could also sniff out the username and passwords you use to access the BI Server.

Russian and China prove every public IP for ports 80 and 443, along with several other ports, but these are the most common.
I get about 50,000 hits a day.

As suggested, the easiest and most secure method is to simply use a VPN, there are many different VPN's you can setup.
Most modern routers you get from Bestbuy or Amazon, will have a VPN feature.
You could also setup a software VPN, essentially on your BI Box if you wanted to, that would include some kind of Certificate to secure your connection to BI.

The second method is to use STUNNEL, but you will still see these attack attempts as the BI will be exposed to the public (if you opened that port on your router).
It will be more secure, but there will still be people connecting to your server and probing it for files that could expose vulnerabilities and/or trying different login attempts.

The way I have mine setup is behind a Sophos UTM Software Appliance Firewall, using a reverse http proxy allowing my firewall to provide the security of IDS and IPS, while utilizing it's SSL Certificate to secure the connection to BI.
You could probably due the same with pfsense firewall, but Sophos is way better and free (when you apply for a licenses).
Sophos also has a NextGen Firewall, I haven't had much luck with it, I still believe the UTM (Their older product) is much better.

 

[tomgru]

Thanks Steven...

sorry I wasn't more clear. I did setup the VPN and turn off all port forwarding. so now i'm curious what these other attacks are and if I can do something to thwart them?

I could probably go to a router forum … but since I started here, thought i'd followup.

 

[Steven4x4]

Thanks Steven...

sorry I wasn't more clear. I did setup the VPN and turn off all port forwarding. so now i'm curious what these other attacks are and if I can do something to thwart them?

I could probably go to a router forum … but since I started here, thought i'd followup.

Honestly, pretty much nothing you can do. They will attempt to attack/probe anything that ihas a public IP address.
About the only thing you could do is ask your ISP if they would release your current IP, so you can get a new one...
It use to work in the past, but I don't know if it works any more, if you unplug your modem/router for about 10 minutes then plug it back in, your ISP used to give you a new IP.

You keep in mind, that new IP may also come with different attacks, or it may not.
Depending on the manufacture and model of your Router, you might be able to turn on some additional security features, but last I've checked they are minimum and they will not stop them from trying to check for vulnerabilities.

 

[bp2008]

How to get a new IP depends on the way your ISP set up the addressing. For example my ISP uses DHCP (dynamic addresses) but has reliably given me the same address for the last 8 years. I can cause the address to change by modifying the MAC address of my router, and get my old IP back by restoring the old MAC address.

Anyway, changing the public IP address won't have a meaningful effect on random hack attempts. They happen to every IP address (at least every IPv4 address). If you want to reduce the rate of this random incoming traffic actually reaching a listening service, use a non-standard port number for any public-facing service. Ideally between 49152 to 65535. Most random attacks are against the default port number for the targeted service because that is far more likely to be in use, and to actually be the service the attacker is designed to attack.