Attack on my Home Server

[arup]

Update (06/12/2024):

A special thanks to @rsaeon for his suggestion and for helping me via DM. He understood my requirements and guided me in the right direction.

I'm currently using Tailscale VPN, and after almost a month of usage, I can confirm it fully meets my needs. I've disabled the web port (port 80) and implemented a firewall to monitor incoming connections effectively.

 

[jayanttyagi]

Update (06/12/2024):

A special thanks to @rsaeon for his suggestion and for helping me via DM. He understood my requirements and guided me in the right direction.

I'm currently using Tailscale VPN, and after almost a month of usage, I can confirm it fully meets my needs. I've disabled the web port (port 80) and implemented a firewall to monitor incoming connections effectively.

Which firewall?

 

[arup]

Windows firewall. Configured to block most things and allow only those which I need.

If you're on a windows PC , you can navigate to Control Panel\System and Security\Windows Defender Firewall\Allowed applications and you'll be surprized to see how many apps on your PC has added exclusion in your firewall.

 

[rahuljawale]

If you have time, consider trying CrowdSec. It functions similarly to fail2ban but offers a more up-to-date database of attack vectors and source IPs. I have it running on my firewall (OPNsense) and the parsers on my home lab servers.

 

[jayanttyagi]

Windows firewall. Configured to block most things and allow only those which I need.

If you're on a windows PC , you can navigate to Control Panel\System and Security\Windows Defender Firewall\Allowed applications and you'll be surprized to see how many apps on your PC has added exclusion in your firewall.

Most apps add exclusions to work. You should manage network at gateway level not at machine level.

If you have time, consider trying CrowdSec. It functions similarly to fail2ban but offers a more up-to-date database of attack vectors and source IPs. I have it running on my firewall (OPNsense) and the parsers on my home lab servers.

Yes this is the way. Reverse proxy with crowdsec as middleware.

 

[AmeyaVS]

Hello @rsaeon ,
Would it be possible to share your recommendations or any references?

Update (06/12/2024):

A special thanks to @rsaeon for his suggestion and for helping me via DM. He understood my requirements and guided me in the right direction.

I'm currently using Tailscale VPN, and after almost a month of usage, I can confirm it fully meets my needs. I've disabled the web port (port 80) and implemented a firewall to monitor incoming connections effectively.

On another note I am currently exploring Tailscale seems to be working for me, but I still need to setup a firewall on local services for monitoring services in case of any attempt.
I had explored ufw and fail2ban long time back but found it to be a little cumbersome to maintain.

Does anyone have recommendation of replicating the setup across systems, I have multiple systems but manually configuring each of them is time consuming?
I am mostly working on Ubuntu/Debian systems.

 

[burntwingzZz]

sophos home edition 4 core , 6 gb ram with complete suite of FW

 

[AmeyaVS]

If you have time, consider trying CrowdSec. It functions similarly to fail2ban but offers a more up-to-date database of attack vectors and source IPs. I have it running on my firewall (OPNsense) and the parsers on my home lab servers.

Will this work with a CG-NAT ISP provider and a proxy host?
I don't have a public IP address from my isp, so I use a VM by a cloud provider and use it to proxy my connection through it.

 

[badwhitevision]

Will this work with a CG-NAT ISP provider and a proxy host?
I don't have a public IP address from my isp, so I use a VM by a cloud provider and use it to proxy my connection through it.

If you use tailscale and these services are only for you/immediate family, the easiest option is to disconnect the reverse proxy and directly use tailscale (ie.) Use tailscale as a VPN between your phone (client) and homelab server. This way you can avoid all attack attempts (provided tailscale is safe) because CG-NAT itself is a firewall of sorts, preventing all sorts of direct attacks, further no port forwarding at the router level to open up a new attack vector.

If the reverse proxy is an absolute necessity, I would prefer you set the firewall at the reverse proxy stage (ie. Cloud VM).

For example, most Oracle VMs use iptables by default, where they restrict everything and you need to open specific ports.

 

[rsaeon]

Privacy, security and safety concerns have always negated the usefulness of having a public ip for a home connection. Especially in India's political climate. Any controversial tweet or facebook post from your home connection would have local authorities knocking at your door asking you to take down your post/tweet.

For example, under the previous state government, citizens would tweet at the power discom to notify them of an outage and it would be resolved that way. No calling or visiting the local office was necessary. But after a new government was formed, whoever was put in charge sent electrical workers to the homes of whoever tweeted to scold them about making issues public and told them to visit the local office instead. They had your address even if you did not share your connection details.

CG-NAT is often looked down upon as a cost-cutting measure by the ISP but it is a form of privacy-through-obscurity that I consider absolutely necessary. I have multiple connections, and they're power cycled randomly twice a day, so as to mimic real-world power outages or disconnects. Each time I'm assigned a different public IP.

With Tailscale and Wireguard, CG-NAT becomes a non-issue. You don't need to open or forward any ports and can have a very strict firewall put in place:

That's ~35 million packets dropped on attempts that tried to access my router from the wan interface, an average of ~300,000 per day.

The interface is Winbox, a utility to manage Mikrotik routers. All of their routers use the same app and differ only in hardware features (ports, compute power).

This firewall rule drops any new connections that do not originate from the LAN, existing connections to the internet that were initiated from the LAN will work as normal.

@AmeyaVS the essence was that tailscale is incredibly easy to implement and will suffice for most, if not all, cases where you need to access something on your home network, when you're not on your network. Then, as you learn by implementing and experimenting, you can look into virtualized firewalls/routers to get access to other devices like NVRs.

If you absolutely need a Public IP on a home connection, then it would be wise to have it on a separate connection specifically for that purpose, and not use it for personal browsing (messaging, social media).

 

[AmeyaVS]

Thank you @badwhitevision and @rsaeon for your valuable input.
Sorry for the delayed response, am having issues with my Internet connection.
I will be continuing to use Tailscale for the time being, will probably explore public services when any need arises.

 

[guest_999]

For example, under the previous state government, citizens would tweet at the power discom to notify them of an outage and it would be resolved that way. No calling or visiting the local office was necessary. But after a new government was formed, whoever was put in charge sent electrical workers to the homes of whoever tweeted to scold them about making issues public and told them to visit the local office instead. They had your address even if you did not share your connection details.

This is some serious violation of at least half a dozen rules. As far as I know, such tracking requires at least a judicial officer approval or even informally at least a police officer of DSP rank request. Are you sure about this?

 

[salman8506]

I came to this thread quite late but i learnt this in my tenure that anything you want to host just dont get a public ip like we used to do in old days, just use cloudflare tunnel if the audience is very public if you have 2-3 users use twingate, tailscale or similar solutions. I personally am hosting hybrid of twingate and cloudflare.

 

[ishanjain28]

This is some serious violation of at least half a dozen rules. As far as I know, such tracking requires at least a judicial officer approval or even informally at least a police officer of DSP rank request. Are you sure about this?

Your issue is assuming anyone is following the procedure for anything.

 

[guest_999]

Your issue is assuming anyone is following the procedure for anything.

We live in India not neighbouring country where a general can randomly call a police officer or a judge to get someone arrested. Here too I know rules are not always followed but typically such situation happens when the circumstances are extraordinary (like involving some celeb, big politician, big businessman etc) but common ppl complaining about local discom is far from extraordinary circumstances unless it involves abusing some major politicians in which case the police will come to arrest & not the local discom workers to give scolding.

 

[ishanjain28]

We live in India not neighbouring country where a general can randomly call a police officer or a judge to get someone arrested. Here too I know rules are not always followed but typically such situation happens when the circumstances are extraordinary (like involving some celeb, big politician, big businessman etc) but common ppl complaining about local discom is far from extraordinary circumstances unless it involves abusing some major politicians in which case the police will come to arrest & not the local discom workers to give scolding.

All of this speaks of your very limited experience with issues like this so perhaps you should not be generalizing it and say It does not happen. I have gotten in trouble with SP and IG for complaining about noise pollution on 112, They insisted the right approach was to complain to them in person instead of doing so online. Someone close has gotten in far more trouble for equally small matter.

 

[guest_999]

All of this speaks of your very limited experience with issues like this so perhaps you should not be generalizing it and say It does not happen. I have gotten in trouble with SP and IG for complaining about noise pollution on 112, They insisted the right approach was to complain to them in person instead of doing so online. Someone close has gotten in far more trouble for equally small matter.

As far as I know any complaint to police whether over phone or online requires your real identity unless you are actively trying to hide it. Whichever mobile phone number you called from is automatically traced when making such call. On the other hand, if someone makes some comment on twitter then police need to submit a request to main official representative of twitter in India who then need to get approval from his bosses in US to access data & give it to authorities here who then get a hold of the IP address used to post the tweet & then contact the ISP to get details of the connection owner who was assigned that IP at that time when tweet was made. Now you tell me which is much simpler to achieve & whether a local discom guy would go through the hassle just to scold a common man. That is why I suspect something was missing from the story when I read about ppl getting scolded for tweeting complaints about local discom. Most likely they reveal their address in the tweet itself or it was visible in their profile setting etc.

 

[rsaeon]

@guest_999 I suspect it's a tie-up between a popular local isp and the local municipality office (I've seen worse privacy breaches in this city). But they do have access to Twitter metadata: https://www.reuters.com/world/india...-agent-payroll-whistleblower-says-2022-08-23/ also more recently: https://restofworld.org/2023/elon-musk-twitter-government-orders/

A couple of threads:

https://www.reddit.com/r/hyderabad/comments/1eq5rrz/got_harrassed_by_tgspdcl_for_writing_on_x_twitter

https://www.reddit.com/r/hyderabad/comments/1djnkkp/a_few_weeks_ago_my_friend_tweeted_about_power

Most people say they share meter/connection numbers, but if you're renting, then they don't have your details, it's your landlord. Others say they were contacted even without providing any details. These posts/comments were all over when the government changed last year:



People reminiscing about how much better it used to be:

https://www.reddit.com/r/hyderabad/comments/1ak4ltf/did_you_observe_tsspdcl_which_used_to_give

The masses voted out a regional party and voted in a national party, not sure what they expected would happen.

The national party assigned someone who is more concerned with public image instead of resolving issues. I've personally had electricity board people come and say I shouldn't be calling every time there's a power outage or disruption and that it'll be fixed within a day as if that's perfectly reasonable for a city that's informally called "Cyberabad."

 

[guest_999]

I suspect it's a tie-up between a popular local isp and the local municipality office (I've seen worse privacy breaches in this city). But they do have access to Twitter metadata

Congress is out of power at the centre for more than 10 years now so who exactly is/was in-charge of the power dept to have such high connections in the home ministry at the centre & care enough about it to get such info because that's what it would take to access that twitter metadata.

Also, from the first reddit thread above:

When you complain, they ask for USC number. It gives your whole address from their portal.

 

[rsaeon]

Yes, I mentioned that but USC numbers don't have the renter's phone number, only the landlord's, and not always. Our USCs are not tied to any active number and yet we still get follow-up calls, even on private numbers that aren't linked to social media. And there have been instances where they'd call or visit without you ever providing a USC number. The sub and discord was littered with dozens of such posts this time last year when the government changed.

It's possible they went low-tech and have a register or ledger somewhere of people who complain, but that would mean they have it on a sub-locality level in a city of a few million people.

Congress is out of power at the centre for more than 10 years now so who exactly is/was in-charge of the power dept to have such high connections in the home ministry at the centre & care enough about it to get such info because that's what it would take to access that twitter metadata.

That's what it ideally should take but the reality is very different. What I'm thinking is that metadata is easy to get ahold of, but actioning on content (banning/deleting) is something reserved for the party in power. The same metadata is also available to local police (something I was able to confirm today at an impromptu visit to the police station). Otherwise the opposition wouldn't let the ruling party sleep, there has to be some concessions for amicable governance.

For example, if the opposition didn't have a way to track civilians, this would not have been possible:

1,100 lost phones worth ₹3.30 crore recovered and returned to owners by Cyberabad police

Cyberabad police recover 1,100 stolen phones worth ₹3.30 crore, returned to owners, highlighting importance of CEIR portal.

www.thehindu.com

(these announcements happen every few weeks)

Putting aside that IMEI information is not the same as Twitter metadata, it's clear that even opposition states have some level of surveillance and/or monitoring that you'd only expect the ruling party to have.