Suricata logs and what they mean??

[Supermule]

Hi there...

Explain this.

A local machine trying to RDP to a machine in Ukraine??

Or a Ukrainian machine trying to connect via RDP to local IP?

[packetmangler]

Source_IP:Port is on the left and Destination_IP:Port is on the right. 

Looks to me like like an external host is connecting to that host via the RDP port.

[Supermule]

So a Ukrainian IP trying to connect on WAN to a server on lan?

Why cant I block that when they are scanning for ports on WAN?

Because IDS is setup on LAN.....

So when they see there is an open port, they start hammering and then the alert is triggered.

But I cant block them... because then I would block everybody trying to connect.

This is not good...

[hbc]

Usually you enable suricata on wan. And IPS is triggered before firewall. You will get these alerts even if you do not have any open rdp ports.
And nobody would run rdp without VPN or fixed source ip,  so you can set rule to block when using VPN.

[Supermule]

One would run RDP on non std. ports no issues if you have a very mobile workforce and VPN is not performing very well...

[hbc]

I would say: time to change the VPN solution if performing is worse.
BTW 3389 like shown in screenshot is rdp standard port.

Additionally I would use 2FA and geo-blocking to increase security. If nobody from Ukraine needs to access rdp, restrict it to those countries where is is accessed from.

[phoenix]

Usually you enable suricata on wan. And IPS is triggered before firewall. You will get these alerts even if you do not have any open rdp ports.

Unless I'm misunderstanding the documentation but I don't think that's correct, if you enable IDS on the WAN the packets will have been through NAT and all the alerts will appear to be from your internal network - the documentation is here: https://docs.opnsense.org/manual/ips.html#choosing-an-interface

I have a recollection that there was a recent post from Ad that said you should use in LAN interface for IDS but feel free to correct an amateur if you think I've got it wrong.

[EDIT]Sorry, I forgot to mention that if you use the internal interface that you should add the WAN address to your h'home network' in the Advanced settings, further info in the "Update (9/14/2019)"  section of this article: https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/

[hbc]

Sorry, I always forget about NAT, since only using public addresses. With public IPs and sensei, I think wan is correct for suricata.

[Supermule]

IMHO then IDS places itself inline into the network stack, so alerts on WAN is before it enters NAT.

So when alerts on WAn is triggered its before it enters the filters asf.

So you know whos visiting you and where they look and how they look. Thats the IPS part.

When you monitor LAN then the intrusion is underway to one of the devices on LAN. (to and from NAT).

So there is the alert that a guy from Ukraine is hammering the door of 3389 which is the internal port for RDP on a specific device...

They are allready through WAN after they did a through portscan that the FW didnt detect and eventually dropped/blocked permanently.

And thats the huge concern here. That you are dealing with intruders AFTER they have penetrated the outer perimeter.

Usually you enable suricata on wan. And IPS is triggered before firewall. You will get these alerts even if you do not have any open rdp ports.

Unless I'm misunderstanding the documentation but I don't think that's correct, if you enable IDS on the WAN the packets will have been through NAT and all the alerts will appear to be from your internal network - the documentation is here: https://docs.opnsense.org/manual/ips.html#choosing-an-interface

I have a recollection that there was a recent post from Ad that said you should use in LAN interface for IDS but feel free to correct an amateur if you think I've got it wrong.

[EDIT]Sorry, I forgot to mention that if you use the internal interface that you should add the WAN address to your h'home network' in the Advanced settings, further info in the "Update (9/14/2019)"  section of this article: https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/

[hbc]

Then just geo-block Ukraine ips. But since suricata is run before filters, the alerts will continue.
The only way to stop alerts is to unplug your internet cable.
There are always port scans. You cannot prevent them. I have a Chinese ip that scans one of my ip6 segments (/48) since a week. But for this reason, I have a firewall that just allows specific ips to be accessed externally. This exactly is the reason you have firewalls.

And when you have a world wide open rdp port, then there will always be guys trying to get in.

[Supermule]

Is there a manual for geo blocking in Opnsense?

[hbc]

You just need an alias from type geoIP. Check Ukraine, save and set as source for block rules.
But instead of blocking, I would whitelist to the countries that are allowed if no world-wide access is necessary.

https://docs.opnsense.org/manual/aliases.html

[scyto]

As someone who used to be the product manager for RDP please never expose RDP ports (be it 3389 or random port) directly to the internet and NEVER turn off NLA option.

There are whole classes of DoS attacks possible with NLA turned off that cannot be mitigated.
And multiple theoretical attack surfaces. With NLA turned on things are several orders of magnitude more safe, that said i would recommend the use of either use RD Gateway to terminate RDP and offer outside as HTTPs.
Or a VPN or some other proxy solution like azure proxied apps where there is additional layer of MFA auth.

(and i am talking as someone who happily exposes HTTPS web UI's externally that one shouldn't (Unifi, Synology). so that should give you an idea of just how risky RDP is)

[hbc]

RDP - loved child of cybercrime scene https://www.heise.de/hintergrund/Remote-Desktop-RDP-Liebstes-Kind-der-Cybercrime-Szene-1-4-4700048.html

[l0rdraiden]

Usually you enable suricata on wan. And IPS is triggered before firewall. You will get these alerts even if you do not have any open rdp ports.

Unless I'm misunderstanding the documentation but I don't think that's correct, if you enable IDS on the WAN the packets will have been through NAT and all the alerts will appear to be from your internal network - the documentation is here: https://docs.opnsense.org/manual/ips.html#choosing-an-interface

I have a recollection that there was a recent post from Ad that said you should use in LAN interface for IDS but feel free to correct an amateur if you think I've got it wrong.

[EDIT]Sorry, I forgot to mention that if you use the internal interface that you should add the WAN address to your h'home network' in the Advanced settings, further info in the "Update (9/14/2019)"  section of this article: https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/

So in order to work correctly I have to add my public IP addess when I select WAN.
If my IP address I dynamic can I use a Dinamic DNS service? or what solution do I have?

I think most people is runnning WAN without adding the public IP