Watching world events and wondering what, if anything, we should be doing to protect our home routers against potential hacker retaliation in case the US gets involved in the coming days. pfblockerNG and pfsense SEEM to already deny inbound traffic, unless you’ve opened up ports or setup specific allow rules the way I understand it. So setting up a MaxMind account and specifically blocking other continents/countries from inbound access should be completely unnecessary, right?
If you haven’t already, enable pfBlockerNG GeoIP blocking
Suricata with the ET rules would also be a good choice (and Snort rules), you’ll need to tune those rules a bunch at first, but it is constantly blocking attacks on our network. Any RDP on unexpected ports are immediately flagged and on my system blocked for a few hours. TOR connections get blocked. I will probably step up my blocking interval to like 8 hours before the block gets removed.
What I’d worry about is Amazon AWS and similar type attack vectors, so much stuff comes in from AWS that you need open it is hard to globally block that service type. I hope Amazon is on their game when it comes to attackers using their services, I know for some little nuisance stuff they are letting things go (because I keep seeing it in my block list), but once it hits a major level I hope they step up to verify traffic.
I need to study up on Geo locking, I tried once and it wasn’t doing anything, Suricata was still doing the heavy lifting. Need to study up again and get ready, no one from China needs to get into my one server, same for really anything outside of the USA. But as mentioned, Geo blocking doesn’t stop VPN, TOR, or AWS conveyed attacks from an allowed IP range. Many layers will be needed.
Make certain all your servers are patched! And make sure they stay patched!
For home consumer routers… we are $c3wed!
I’m a home user running it. So I kinda feel that Surricata may be unnecessary for my situation based on what I’ve seen Tom say in his videos. I was thinking about using GeoIP blocking, but even pfSense says “don’t block the world” just selectively let in what you need because pfSense blocks all inbound activity by default. Just wondering then if additional actions are really needed and, if so, why.
Been wondering myself how homes and organisations will prepare. It’s very sad that all this effort for war and so forth. Imagine if the Covid-19 pandemic or climate change had a genuine global response.
I read in a tech article that if the UK gets “involved” the NHS is the target re cyber attacks.
Current I’m on Home license for Untangle, but will review etc. Re geo blocking again, so much comes via other sources and I’m sure they’ll proxy via other countries anyway.