Risk of having these ports open to the public?

K

KapsZ28

2[H]4U
Joined
May 29, 2009
Messages
2,114
This company setup two Server 2008 R2 servers in different locations. Both servers are setup with a public IP address, NOT through a firewall. They only use Windows Firewall. These are going to be used as file servers for another company. So DFS is enabled and replicating over the WAN. I would never in a million years setup a configuration like this without secure firewalls and VPN, but cheap companies seem to make dumb decisions. Below is a basic nmap scan of their public IP. Since you guys know security, how easy would it be to exploit their vulnerabilities?

PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
 
Dear Lord yes. If they need to connect over the internet, use a VPN.
 
What I don't get is they use free pfSense firewalls, but didn't even bother to use those and setup a VPN connection. It's not like it is going to cost anymore to use a free firewall with a VPN connection.
 
I would at minimum establish a site to site VPN between the two sites.

You mentioned DFS/File Sharing/WAN and it may even be better to get a small MPLS connection between the two so those files being replicated have a dedicated pipe.
 
Lazy_Moron said:
I would at minimum establish a site to site VPN between the two sites.

You mentioned DFS/File Sharing/WAN and it may even be better to get a small MPLS connection between the two so those files being replicated have a dedicated pipe.
Click to expand...

Well, one server is in NY and the other is in Germany. My guess is they are doing this as cheaply as possible. Doubt they would want a dedicated connection.
 
DFS over inter-continental internet pipes.

replication issues in your future i see, yesss [/yoda]
 
This thread has to be trolling. There's no way anyone ever was stupid to do this.

OP, good one!

Right? RIGHT?
 
This is what ours looked like when the old firewall we had broke and Germany decided not to replace it for a while. The IT Admin said, oh itll be fine, and its one less device to configure and add bandwidth!

........

I convinced the american VP this was insane and got us set up with another firewall, even though I handle external tech support.. What a mess.. once I got into our AD/DNS setup, holy christ.. nightmare..
 
Cheap in the short run almost always means expensive in the long run. Don't worry, you wont have to wait long. Some haxxor in Russia or China will soon come along with a port-scan and get to work.
 
What everyone else has said, theres really no reason for this, and if they are having trouble understanding why this is important, try to explain it like this:

1, Its free to setup and configure
2, If we dont, we could lose everything, expose income/financial data, and whatever other data is important, so do we want to lose X dollars, and be liable for leaked/stolen information?
3, the internet is not kind, and even a kid with crappy tools can exploit it
4, ITS FREE TO FIX!

... seriously..
 
What kills me is it was one of the owners of our company that sold this to the client and then talked about upselling them a managed firewall after the fact to make additional money. In my opinion something like this should have never been sold to the client. The firewall should be included. I mean, what are they going to tell the client once it gets hacked? "Sorry, you didn't bother to purchase a firewall. Would you like to purchase a firewall now?"
 
Nate7311 said:
That owner of your company needs to retire...
Click to expand...

Sadly the co-owner that sold this is actually very technical. He and his friend built the company. I just don't understand why they do stuff like this. They also have port 3389 open on almost all servers they sell without even using NLA. Even the internal network doesn't seem very secure. I was able to use uTorrent internally without any problems. Even at my home all those ports are closed except on one VM that I use uTorrent. Maybe they just aren't very good with security.
 
It'll be hacked before they know it. If they are this lax with their server connections chances are there are other exploitable openings.
 
If you want to be cheap you could setup RRAS on one of them and have the other connect to it...no cost except the time to configure.

edit: reread and they use pfsense boxes...why...

This is like a place ran across not too long ago. They had a "managed" Juniper through their ISP with 1:1 NAT for a few servers however with allow all traffic statements...anyway they have an ASA and site-to-site VPN now.
 
Sp33dFr33k said:
It'll be hacked before they know it. If they are this lax with their server connections chances are there are other exploitable openings.
Click to expand...

I kind of hope so. Not because I want them to get hacked, but so they will learn. I've seen 3 successful hacks over the past year because of port 3389 being open without NLA enabled.
 
D-EJ915 said:
If you want to be cheap you could setup RRAS on one of them and have the other connect to it...no cost except the time to configure.

edit: reread and they use pfsense boxes...why...

This is like a place ran across not too long ago. They had a "managed" Juniper through their ISP with 1:1 NAT for a few servers however with allow all traffic statements...anyway they have an ASA and site-to-site VPN now.
Click to expand...

Don't like pfsense? I am not particularly a fan of a free firewall. I know we have some Juniper here and funny you mention ASA. Another part of this business but technically separate as it is a different owner, very confusing, they setup all their clients with ASA site to site VPN. My previous company used Sonicwall for everything. Probably because it was a lot easier to manage than Cisco.
 
KapsZ28 said:
Don't like pfsense? I am not particularly a fan of a free firewall. I know we have some Juniper here and funny you mention ASA. Another part of this business but technically separate as it is a different owner, very confusing, they setup all their clients with ASA site to site VPN. My previous company used Sonicwall for everything. Probably because it was a lot easier to manage than Cisco.
Click to expand...

i think they meant why do they have it set up this way if they have pfsense...
 
I don't know much about how secure Linux is, but let me know what you think about this. Yesterday I had to build an Ubuntu Server 12.04 yesterday that is going to be used to store backups. The server has two NICs and I was told to setup one for the internal network and the other to be given a public IP. I asked if he was worried about security since we were putting it right on the Internet. He said, "Not really. I would just open the ports anyway if it was behind a firewall." There are no rules setup on the Ubuntu firewall either.

Is this something that can be easily hacked?
 
Depends on what services Ubuntu has running, whether they have been updated, strong passwords and/or ssh keys, etc. Personally I wouldn't put any device live to the Internet without some type of firewall. And then make sure it is updated frequently, etc.
 
People seem so surprised that companies are dumb enough to do crap like this.

They are, and they do. I work for an ISP and we sell internet services to lots of customers. I've seen some ridiculously insecure setups. Half the time you try to tell them about it though, you get pooh-poohed away.

I've had people tell me things like "we're not a bank, we don't have anything to worry about".

EVERY business has something to worry about. They have information that others want to steal, almost assuredly, whether it's information about the company, or its customers.

Or they will just come up on a port scan run by some 14-year-old who will get his kicks out of breaking into their network and causing havoc.
 
KapsZ28 said:
What kills me is it was one of the owners of our company that sold this to the client and then talked about upselling them a managed firewall after the fact to make additional money. In my opinion something like this should have never been sold to the client. The firewall should be included. I mean, what are they going to tell the client once it gets hacked? "Sorry, you didn't bother to purchase a firewall. Would you like to purchase a firewall now?"
Click to expand...

An old company I used to work for did this. One of our lower revenue products got pwned, and then the salesweasels went *nuts* bringing in new revenue on higher tiered products; sold, in what at the time was 3 months worth of deals, in 3 days. To say that I felt slimy is a very big understatement.
 
hawk82 said:
Depends on what services Ubuntu has running, whether they have been updated, strong passwords and/or ssh keys, etc. Personally I wouldn't put any device live to the Internet without some type of firewall. And then make sure it is updated frequently, etc.
Click to expand...

Server is fully updated. The username is only three letters and the password is not strong. Even Ubuntu said it was a weak password. It has SNMP and SSH running. Once the backup software is installed, clients will be able to access the webpage over port 80.
 
Electrofreak said:
People seem so surprised that companies are dumb enough to do crap like this.

They are, and they do. I work for an ISP and we sell internet services to lots of customers. I've seen some ridiculously insecure setups. Half the time you try to tell them about it though, you get pooh-poohed away.

I've had people tell me things like "we're not a bank, we don't have anything to worry about".

EVERY business has something to worry about. They have information that others want to steal, almost assuredly, whether it's information about the company, or its customers.

Or they will just come up on a port scan run by some 14-year-old who will get his kicks out of breaking into their network and causing havoc.
Click to expand...

Part of what we do is being an ISP provider.
 
KapsZ28 said:
Server is fully updated. The username is only three letters and the password is not strong. Even Ubuntu said it was a weak password. It has SNMP and SSH running. Once the backup software is installed, clients will be able to access the webpage over port 80.
Click to expand...

Sounds ripe for script kiddies to take over the box. Check out CSF and see if that would work for you. Also change the port that SSH listens on to something else. Disable passwords and use RSA keys instead. SNMP enabled on a publicly facing server? May I ask why? Tighten your web server too. If using Apache, consider using mod_security, suphp, etc.
 
KapsZ28 said:
What kills me is it was one of the owners of our company that sold this to the client and then talked about upselling them a managed firewall after the fact to make additional money. In my opinion something like this should have never been sold to the client. The firewall should be included. I mean, what are they going to tell the client once it gets hacked? "Sorry, you didn't bother to purchase a firewall. Would you like to purchase a firewall now?"
Click to expand...

I honestly don't feel that bad about crap like that. As I mentioned before, I work for an ISP, fortunately only with enterprise-class customers.

When our sales team sells the customer an internet circuit, naturally they try to sell them a managed firewall product (or, if they get an MPLS, a network-based firewall). There's hardly anything crooked about that. If you're an enterprise customer, you need protection. We can give you a wire and a static block of IPs for X number of dollars, but we're willing to take on the task of managing your firewall, opening and closing ports, setting up NATs and port forwards whenever you need them, for a charge of Y amount (which is usually pretty reasonable given that we handle everything from supplying the equipment to management to providing security consultations).

If the customer says that they're not interested, we assume, okay, no harm done, they'll manage their own firewall, no problem.

But if they're not smart enough to go and buy their own firewall and set it up, and they get attacked, tough shit. Sorry, but I have no sympathy at that point. Natural selection, IMO.

Sure, when they come to us in a panic because they've been compromised and need a solution, of course we'll offer them one of ours, if they don't have the knowledge to do it themselves.

I just can't see how anyone can run an enterprise business in this day and age without being responsible enough to protect their business assets, employees, and customers from those looking to steal, scam, and exploit.
 
hawk82 said:
Sounds ripe for script kiddies to take over the box. Check out CSF and see if that would work for you. Also change the port that SSH listens on to something else. Disable passwords and use RSA keys instead. SNMP enabled on a publicly facing server? May I ask why? Tighten your web server too. If using Apache, consider using mod_security, suphp, etc.
Click to expand...

Ultimately my goal is to make sure all our servers are behind at least a pfSense firewall. If a client pays for a server and doesn't want a managed firewall, that is on them just so long as it is separated from our network. Unfortunately this backup server is used by our company and clients. To me this is really bad because our clients rely on our offsite backup that could easily be compromised.

SNMP is what we use for our monitoring system. So it is setup on all servers.

We also have a Windows server with vSphere installed and this server is part of our domain. It has a public IP address assigned to the NIC and is used by employees and clients to access VMware. On top of which it has access to ALL our internal VLANs for the production network. I am recommending a DMZ with two firewalls to better protect it.
 
Does the backup server have multiple network interfaces? If so, you can limit your exposure by setting SNMP to listen only on a private network interface. Could do the same with any services that don't need public accessibility.
 
So now they are talking about removing a firewall for one of our clients and putting their Nginx load balancer as public facing. The current setup is public to pfsense firewall to nginx load balancing to 8 web servers running apache. The firewall is seeing up to 700mbps throughput. My suggestion was two firewalls load balanced in case if one fails the site keeps working. Their idea was to remove the firewall and go directly to the nginx load balancer and then the web servers. Their goal is to try and increase performance by eliminating the firewall.

Is it me, or are they just asking to get hacked?
 
Stupid question, but shouldn't public DNS servers also be behind a firewall?
 
All machines that don't expressly require full exposure to the internet should be firewalled off, with only public facing services exposed. In your example, the DNS service would be exposed, but everything else would be protected.
 
Nate7311 said:
All machines that don't expressly require full exposure to the internet should be firewalled off, with only public facing services exposed. In your example, the DNS service would be exposed, but everything else would be protected.
Click to expand...

Kind of figure. Out of curiosity, what is an example of a server that may require full exposure to the Internet?
 
FLECOM said:
honey pot?
Click to expand...

Interesting. Although from some research it seems to suggest having a honey pot behind a firewall so you can control the traffic that may be sent back out to the Internet. This way the hacker doesn't use it to attack other people or companies.
 
You must log in or register to reply here.
Back
Top