match default rule, drop

stefanocps

n00b
Joined
Jul 18, 2021
Messages
6
Hello on my zyxel router log i have hundreds of these message, coming from all over. They all point to "routeripaddress:3389"
I use to have RDP enabled, for now i have disabled just to make sure nothing happen. I also have changed the router ip address (it is behind a main router from the provider) from xx xx xx xx 5 to xx xx xx 55

Now no more port attack on the address x.x.x. 5 because my router is on x.x.x.55

But i have a problem, the main router forward all the request to the adress x.x.x.5 so now i cannot use any service, expecially the remote desktop thai is what i need. I know i could call the provider and ask to change the ip address where all the request should be adressed form 5 to 55...but is there another way to do that?
 
Are you using remote desktop externally? Is that router IP the public(external) or the private(internal)?
 
3389 is default RDP port. I'd recommend changing the server you connect to a different port for RDP.
 
Any chance you could do RDP, etc, over a VPN? That would eliminate the need to forward ports from the public IP to your private IP.
 
You used to have RDP opened to the world... And you had a NAT/forward rule that would translate from public IP to an internal IP. Script kiddies and bad guys just probing for open vulnerable ports. Do not directly open RDP.... Very bad practice. Use Google chrome remote desktop or VPN and then RDP....
 
You used to have RDP opened to the world... And you had a NAT/forward rule that would translate from public IP to an internal IP. Script kiddies and bad guys just probing for open vulnerable ports. Do not directly open RDP.... Very bad practice. Use Google chrome remote desktop or VPN and then RDP....
I was trying to decipher if that was indeed the case.....if so....yeah very very bad practice, the port attacks most likely were from shodan scanners
 
this was the situation. i have a routee form provider at 10.10.10.1 that would readrress any kind of requests to 10.10.10.5 which is the address of my internal router where all the settings, nat ec.. are confiuured
I use to have rdp opened at port 3387, 3388,3389..and i found hundres of attempts to these ports..all dropped.
Now for the momen i have disbaled rdp, and put the router address from 5 to 50. No port scan now..but no possibility to use rdp or vpn or whatever. As soon as i set the router baCK to 10.10.10.5 i see again several port scanning to 3389 andclose port even i no nat rule is sonfigured.
So now my main worry is if i have to stop all these traffic as i concern it might slow down or block my wan traffic. But how to do that?changing the router ip address would do that but also would avoid any possibilities of rdp, vpn ecc
I can configure vpn and then rdp of course(mow i know...) once i set the proper ip address...but what about all that traffic?
 
Last edited:
If you indeed have two routers(the providers gateway router that you would have no control over), and than your own internal router(one you control) and the provider is setting routes to your internal router than if you change the IP address of your router they would need to update their routes, this is more common practice in business and if you are paying for a dedicated circuit.


However if by provider router you mean modem/router combo unit than thats different and something you can generally fix on your own

Also those are both private IPs and leads me to think they are internal,

Google "what is my ip" and does that IP match what you say your providers routers IP is?
 
Last edited:
the router wan ip does not much the whatismyip the internal ip of the provider router is 10.10.10.1. I already have asked them to change their rule to forward all the traffic from from 10.10.10.5 (the previous lan router ip ) to 10.10.10.50..but still lots fo port scanning coming
Btw, My lan has 192.168.1.0 subnet
so resume:
provider router has public ip that is different form the whatismyip, it also has internal ip 10.10.10.1
my router has now 10.10.10.55 to the wan port and 192.168.1.0 subnetting
At the moment the provider router route everythinh to 10.10.10.50...but i set my riuter to 10.10.10.55 to do not have all that scanning..for the moment. But like this cannot use any service. For that i should set it back to 10.10.10.50
 
If you have open ports, bots are going to scan them, bang on them, and try to get in. Changing your internal ip doesn't really do anything, because they're still banging on the same ports on the public IP address (you just can't see it because the router is telling them the ports are unreachable or closed, or silently dropping them).

As soon as those ports are forwarded to your new internal IP, you'll be assailed by packets from bots trying to gain access. You need to either use a more secure remote service that works through NAT, or (even better) use a VPN or similar tunneling technology to remote in without forwarding ports.
 
You really need a vpn if you want to rdp externally to your machines on the network, without it...it's like a bank asking how to keep criminals from climbing in the open window and robbing them, you tell them to close the window and they do, but they open another window and the criminals climb through that one, all you're doing by changing your IP is closing the window on one side and opening the window on the other side, thinking that the criminals won't look for another window, now if keeping the window open is necessary than you need to secure it, in the banks case guards, bars, etc....in your computers case you need a vpn
 
ok ok i already have set up my mind on use a vpnm and then rdp. But what about all the scanning..can i leave it there? no problem for my lan?
 
You can not stop the scanning. Period. Just ignore it and make sure you have everything blocked. as others noted NEVER open RDP to the internet. and if you do need to host any kind of service, say a web server, use VLAN's and isolate your network, otherwise you will be compromised one day and lose everything. So I hope you also have backups of al your data.

So, now question is what will you use as a VPN server for your network?
Who needs to connect into your network?
Is this a work network or personal home network?
 
Ok cannot sotp the scanning, this is what i wanted to know! my router support vpn, so i can use that!. I think is the best way to setup the whole thing
 
  • Like
Reactions: Nobu
like this
Be careful on setting up the VPN as well , if not done properly and securely, can also become a target people will try.

What model / brand is your router?
 
Back
Top