cancel
Showing results for 
Search instead for 
Did you mean: 

How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

WatchBatterycou
Dabbler
Posts: 21
Thanks: 1
Registered: ‎09-02-2010

How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

Team,

I note that there is no  way of logging tickets any longer so here goes with the forum approach.

I am getting constant login in attempts from outside our LAN which are attempting to use the Microsoft Remote Desktop Port. We need RDP to get to our server.

However, recently I have noticed failed login attempts in the W2008R2 server's security logs which occur almost every 5 seconds of every minute of every day. It was only when I looked at the Router security logs did I see that most of these were coming from a range of IP addresses starting  185.156.177.

How can I get PlusNet to ban what are clearly malicious attempts to access our server?

Can the router be configured just to reject a range of IP addresses starting  185.156.177? There is no clear config via the router admin pages but am wondering if I can enable this using PUTTY?

 

What I am left with doing at the moment is giving the trusted people who use RDP to the server, access to remote admin on the Thomson Gateway router, so that the RDP port can be temporarily forwarded to the correct server machine on our network when RDP session is required and forwarded to some random, non-existing IP address when they have finished their session. So at least any malicious login attempts cannot be made to the server. The router logs however, show continued attempts from the above IP range (and a few others) once the forwarding is disabled (or not valid) so the attempts are constant.

 

Thanks

AJ

 

[Alleged advertising Deleted]

14 REPLIES 14
mikelahey
Pro
Posts: 236
Thanks: 88
Fixes: 12
Registered: ‎24-11-2015

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

From what I can remember (its a long time since I used one of these), there is a command line interface to the router via telnet and there is a set of commands for adding / removing firewall rules.

I've never tried to block specific inbound IPs in the firewall but from the documentation it looks like it may be possible from a telnet session. 

The thread below on this forum contains links to the relevant documentation.

 

https://community.plus.net/t5/Broadband/TG582n-Command-Line-Interface-CLI-Reference-Guide/td-p/98483...

 

 

mikelahey
Pro
Posts: 236
Thanks: 88
Fixes: 12
Registered: ‎24-11-2015

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

WatchBatterycou
Dabbler
Posts: 21
Thanks: 1
Registered: ‎09-02-2010

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

Milke,

 

Thanks for the PDF which I will file away somewhere safe.

 

I was going to ask if you knew how to create a rule using the firewall rule add but found the useful page below which I think covers it.

 

"

When you need to drop traffic from an abusing network, first create an expression to match it, like this:

:expr add name=abusers type=ip addr=10.1.0.0/16

then add a rule to block it:

:firewall rule add chain=forward_level_Normal index=2 srcintf=wan srcip=abusers action=drop

If you need to drop more, just add an expression for the IP range with the name “abusers”.

 

This from this location:-

http://phil.tinsleyviaduct.com/tg582nfirewall.html

 

"

 

Thanks to all that replied

 

AJ

 

[Alleged advertising signature nowhere to be found]

Dan_the_Van
Seasoned Pro
Posts: 694
Thanks: 111
Fixes: 15
Registered: ‎25-06-2007

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

Hi

Have you considered using a VPN server which would be a more secure than opening RDP.  I use Raspberry pi and  piVPN to connect to my network. Your remote devices would appear to be connected directly to your network.

Dan.

 

 

VileReynard
Hero
Posts: 12,597
Thanks: 631
Fixes: 20
Registered: ‎01-09-2007

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

A simple solution that defeats the script kiddies is to use a non-default port for the listening port - ie not 3389.

"In The Beginning Was The Word, And The Word Was Aardvark."

WatchBatterycou
Dabbler
Posts: 21
Thanks: 1
Registered: ‎09-02-2010

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

Hi Dan,

 

I am not sure that this would help. It's not that I just need to have a machine appearing on the business network, I have to administer a number of Windoze machines on the business Lan which are on the other side of the Server in question.

The server has two network cards, one to the outside world (via the Plus Net router) and one to the business LAN. Once I RDP into the server I can use Wake on LAN to turn on any of the clients I need to administer and then RDP from the server to each one I need to work on.

 

AJ

WatchBatterycou
Dabbler
Posts: 21
Thanks: 1
Registered: ‎09-02-2010

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

I guess those using a port scanner would still find the open port? But I guess you are saying that those hackers that are using scripts and just assume that port 3389 is being used for RDP would be thwarted?

 

AJ

VileReynard
Hero
Posts: 12,597
Thanks: 631
Fixes: 20
Registered: ‎01-09-2007

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

Yes - scammers just check a few well known ports - if they are found to be open, then more complicated attacks could be done.

Very few machines are worth the effort of scanning 64,000 ports.

"In The Beginning Was The Word, And The Word Was Aardvark."

Dan_the_Van
Seasoned Pro
Posts: 694
Thanks: 111
Fixes: 15
Registered: ‎25-06-2007

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

Hi,

I did not have the benefit of knowing your current network setup when I suggested VPN, on reading your thoughts on resolving the issue to me seemed over engineered, the suggestion of changing the RDP port which I have done in the past would be simple and effective, its just VPN offers a securer connection to your business as a the attaching device needs some sort of credentials to be allowed even to connect to your network where as RDP connections would be forwarded directly to your server.

Dan.  

WatchBatterycou
Dabbler
Posts: 21
Thanks: 1
Registered: ‎09-02-2010

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

Thanks Dan, I have decided to go with changing the RDP port as I did this overnight and didn't receive any login attempts.

However, I seem to be having an issue with the port forwarding on the Thomson Gateway.

These are the steps I have followed;

1. Changed the default port for RDP via the registry on the W2008 Server and rebooted

2. Created an inbound rule in Windows Firewall based on the existing Remote Desktop rule which uses port 3389 but using the port number in step 1

3. Created "Game and Application" on the Thomson Gateway based on the existing Remote Desktop rule but using the port number defined in step 1.

 

Now I can't RDP from outside the LAN to the server

I can RDP within the LAN using <Server_Name>:<Port from step 1> (e.g. MyServer:1234)

but doing the same from outside using

<Fixed IP address>:<Port from step 1> fails.

 

I have tested with the Windows Firewall completely disabled and still cannot connect, but on any account would assume that a connection from within the LAN would have failed if I had got that rule incorrect.

 

With regard to the router I have enabled a DMZ to forward to the server and also tried disabling the Firewall on the router completely, both did not allow the connection.

I have not rebooted the router between these changes though. I had read that this isn't required but given completely disabling the Firewall has no effect I an wondering if any Firewall changes need the router to be rebooted in order for them to be implemented? I can only reboot the router after business hours.

Thanks

AJ

 

 

Dan_the_Van
Seasoned Pro
Posts: 694
Thanks: 111
Fixes: 15
Registered: ‎25-06-2007

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

Hi,

You can check the port is open on your WAN firewall using this site http://www.canyouseeme.org/

Suggest you also check the firewall setting found in members centre, found under Broadband.

Dan.

VileReynard
Hero
Posts: 12,597
Thanks: 631
Fixes: 20
Registered: ‎01-09-2007

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

At least you know it makes it harder to break in to your server via RDP.

"In The Beginning Was The Word, And The Word Was Aardvark."

WatchBatterycou
Dabbler
Posts: 21
Thanks: 1
Registered: ‎09-02-2010

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

Okay, just to give you the update on this.

I changed the RDP port on the Windoze 2008 server and it started to blue screen for some reason. Did the same on my Windoze Home Server 2011 and it worked fine. However, within a day the attempted logins were being made on the newly assigned port.

So, armed with this brilliant link;

https://lehollandaisvolant.net/tout/_misc/telnet/

(Some really good links at the bottom of the page.)

I have configured the Thomson TG587n router and created a root privilege user which allows me to remotely administer  the router using a strong username and password (rather than the default "tech" user). So what I do now is https:// to the router, enable RDP and then do my RDP stuff. Then when I have finished I disable the port forwarding on the router (Or forward to a non existent IP).

Bit of a pain but it keeps the Russians guessing it seems.

AJ

 

 

VileReynard
Hero
Posts: 12,597
Thanks: 631
Fixes: 20
Registered: ‎01-09-2007

Re: How to Bar IP_Address Range from Thomson Gateway Router or get PlusNet to ban IPs

I once setup a passwordless SSH connection accessible from the internet on port 22. Cheesy

I thought nobody would bother an address without an associated web server, or similar.

I quickly got hundreds of attacks per day!

Changing the port to a number > 1024 immediately reduced this to about one per month...

Anyway, I've since totally disabled the internet access to SSH, because it never got used.

"In The Beginning Was The Word, And The Word Was Aardvark."