Firewall rule improvements and security recommendations - Blog 1

 

Blocking Port Scanners

Running a port scan on a network or server reveals which ports are open and listening (receiving information) and the presence of security devices such as firewalls between the sender and the target. This technique is known as fingerprinting. It is also valuable for testing network security and the strength of the system’s firewall. Due to this functionality, it is also a popular reconnaissance tool for attackers seeking a weak point of access to breaking into a computer.

The Port can be either a well-known port (0-1023) or another port  (1024-65535). There may be services offered on the ports after 1023 as well. And ports that, if open, indicate an infected system due to its popularity with some far-reaching Trojans and viruses. A port scan sends a carefully prepared packet to each destination port number. Scans developed for the sender to go undetected by a receiving system’s log are known as stealth scans and are of particular interest to attackers.

So it is recommended to develop the adaptive behaviour on the firewall, which means that they will block open and closed ports if a suspect IP address is probing them.

Change RDP/VNC port from the default

VNC is a protocol used to connect remote systems with GUI. It is especially popular in the Linux world but supports other platforms like Microsoft and macOS. The default port numbering for multiple VNC services can be tricky. In general, we should consider the port and number of VNCs. The default port for the VNC server is TCP 5900. This port can be changed if we need it. Especially if this VNC service is open to the internet or insecure networks changing the default port will make our system more secure. And also Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing your session by listening on the network. However, there is a vulnerability in the method used to encrypt sessions in earlier versions of RDP. This vulnerability can allow unauthorized access to your session using a man-in-the-middle attack (the link is external). Having RDP (port 3389) open to off-campus networks is highly discouraged and is a known vector for many attacks. There are various options for improving security while still allowing RDP access to the system. Such as

Using an RDP Gateway is strongly recommended. It provides a way to tightly restrict access to Remote Desktop ports while supporting remote connections through a single "Gateway" server. When using an RD Gateway server, all Remote Desktop services on your desktop and workstations should be restricted to only allow access only from the RD Gateway. The RD Gateway server listens for Remote Desktop requests over HTTPS (port 443) and connects the client to the Remote Desktop service on the target machine. If using an RD Gateway is not feasible, you can add an extra layer of authentication and encryption by tunnelling your Remote Desktop sessions through IPsec or SSH.