ARP Spoofing

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 22101
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

ARP Spoofing

Post by mattg » 2022-09-09 05:03

I have a business grade multiWAN / firewall / router appliance

If I 'Enable ARP spoofing defense' on this device, a whole lot of traffic to my Mailserver stops, and I get connection failures.
How can I trouble-shoot this issue, as I'm on the never ending quest to tighten security
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
johang
Senior user
Senior user
Posts: 888
Joined: 2008-09-01 09:20

Re: ARP Spoofing

Post by johang » 2022-09-09 09:07

mattg wrote:
2022-09-09 05:03
I have a business grade multiWAN / firewall / router appliance

If I 'Enable ARP spoofing defense' on this device, a whole lot of traffic to my Mailserver stops, and I get connection failures.
How can I trouble-shoot this issue, as I'm on the never ending quest to tighten security
what does the log in the appliance say (is it clients or the mailserver it says is the problem )? have you contemplated in using static arp table ( should be possible in appliance )

before enabling 'ARP spoofing defense' can you see alterations of macaddresses in arp table in the mailserver; in firewall, at clients ?
are clients "popping in and out" from different nets or 3G/4G/5G/wired/wifi getting new ipadresses ? ( roaming between nets is a b*tch if you do automatic test/block )

if you set up static arp tables for static resources you ( in my opinion ) have won just above half the race


anything that gives you redundancy via ethernet, CARP, VRRP, Proxy ARP equipment or function, which rely upon switching or impersonating MACaddresses will not work good with automatic "arp spoofing defense".


if i missinterpreted your post and it is not inside the network you get problems but rather connections through your appliance i would check settings and look onto multiWAN traffic ( if you have that ) to see if you have assymetric traffick or load balancing over 2 providers ( i am not takling about BGP ) and see if i could "unenable" the spoofing defense for specific interfaces ( like WAN ) if possible ...
lets cheat darwin out of his legacy, find a cure for cancer...

User avatar
SorenR
Senior user
Senior user
Posts: 5591
Joined: 2006-08-21 15:38
Location: Denmark

Re: ARP Spoofing

Post by SorenR » 2022-09-09 13:19

mattg wrote:
2022-09-09 05:03
I have a business grade multiWAN / firewall / router appliance

If I 'Enable ARP spoofing defense' on this device, a whole lot of traffic to my Mailserver stops, and I get connection failures.
How can I trouble-shoot this issue, as I'm on the never ending quest to tighten security
This option? (I have a TL-R600VPN SafeStream Gigabit Multi-WAN VPN Router)
.
arp.png
.
Attack defence:
Flood Defense - all OFF
Packet Anomaly Defense - all ON

I connect to my LAN via VPN on this box from my Android phone. No problems accessing SMB, surveillance cams, video casting etc.
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

User avatar
SorenR
Senior user
Senior user
Posts: 5591
Joined: 2006-08-21 15:38
Location: Denmark

Re: ARP Spoofing

Post by SorenR » 2022-09-09 14:16

https://www.imperva.com/learn/applicati ... -spoofing/

"arp -a" in a command window (works for windoze and linux)

Examine list, compare MAC addresses.

Identify IP's from identical MAC's - remove known IP's and you have your culprit ;-)
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

User avatar
mattg
Moderator
Moderator
Posts: 22101
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: ARP Spoofing

Post by mattg » 2022-09-10 02:16

SorenR wrote:
2022-09-09 13:19
mattg wrote:
2022-09-09 05:03
I have a business grade multiWAN / firewall / router appliance

If I 'Enable ARP spoofing defense' on this device, a whole lot of traffic to my Mailserver stops, and I get connection failures.
How can I trouble-shoot this issue, as I'm on the never ending quest to tighten security
This option? (I have a TL-R600VPN SafeStream Gigabit Multi-WAN VPN Router)
Exactly that option
I have the TL-ER6020 SafeStream Gigabit Multi-WAN VPN Router
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
johang
Senior user
Senior user
Posts: 888
Joined: 2008-09-01 09:20

Re: ARP Spoofing

Post by johang » 2022-09-13 10:19

curious cat

how are things going with the tighten security mission ?
lets cheat darwin out of his legacy, find a cure for cancer...

User avatar
mattg
Moderator
Moderator
Posts: 22101
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: ARP Spoofing

Post by mattg » 2022-09-14 05:06

Still playing

I'm using IPv6 more (ARP is an IPv4 issue), and I'm setting DHCP clients with set IPv4 addresses for each MAC address.
Still haven't turned on the 'Anti ARP Spoofing', but knowing that SorenR can, I am working towards that.

That's the only option not enabled in my firewall settings
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 5591
Joined: 2006-08-21 15:38
Location: Denmark

Re: ARP Spoofing

Post by SorenR » 2022-09-15 01:26

mattg wrote:
2022-09-14 05:06
Still playing

I'm using IPv6 more (ARP is an IPv4 issue), and I'm setting DHCP clients with set IPv4 addresses for each MAC address.
Still haven't turned on the 'Anti ARP Spoofing', but knowing that SorenR can, I am working towards that.

That's the only option not enabled in my firewall settings
Oh I can do much worse than enabling Anti ARP Spoofing :mrgreen:

My son moved into a college room earlier this month - studying software design (BSc-??) - and unfortunately the WiFi router is mounted on the wall down the hall... WiFi signal sucks monkey balls in his room. Partly due to thick walls and partly due to several doors in the length of the hallway ...

Just got the final parts by mail today :twisted:

I am going to drill a small hole in his door frame for a CAT5 cable. I'm going to hang a TP-Link TL-WA1201 just outside his room (in line of sight) configured as WiFi client using passive POE to power the unit. Run the CAT cable to a TP-Link WA10 WiFi router to enable WiFi (and a local firewall) but also his LAN enabled gamer computer. All CAT5 segments are Gigabit and all WiFi segments are 5G (800+ mbps).

I named his WiFi SSID: Asgard :mrgreen:

Oh, and he potentially got VPN access to my home LAN (SMB) like if he was here in the house. 8)

Cost: about 140 USD.
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

User avatar
mattg
Moderator
Moderator
Posts: 22101
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: ARP Spoofing

Post by mattg » 2022-09-21 08:00

Well here is my tale of woe...

For one of the more than a dozen websites that I host on my LAN, I had lowered security for a Graphic artist to update some of the singular web page. Just a small lowering of security, I allowed the graphic artist's IP address as allowed to access the Wordpress admin.

This may not be related to that, but then it may also be ...

This website was attacked with a RPC XML attack, and was seemingly compromised.
The attacker removed all WordPress security plugins for ALL hosted WordPress websites, added a command line plugin (remote access to the shell), and uploaded a heap of stuff including some trojans, and more, but only to the WordPress sites it would seem.

All easily fixed by restoring a backup, and closing the RPC XML attack window. Restored all sites, even the non Word-Press ones
I have a Ubuntu server running NginX as my webserver

Looking around my system, I noticed on my Windows 10 Professional machine used solely for hMailserver, an installed product called 'Remote Utilities Server' or 'RU Server'. The log files for this product were empty, and I uninstalled it and blocked the port detailed in the Registry. I've had some unhelpful discussion with their support forum, but no-one has any ideas other than what I've checked and found.

I've been sniffing around my network internally, looking for holes to fill - and finding a few like a non-standard port forwarding for windows RDP that has been targeted by a dictionary attack today.

If anyone has some ideas of things for me to check, please let me know.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
johang
Senior user
Senior user
Posts: 888
Joined: 2008-09-01 09:20

Re: ARP Spoofing

Post by johang » 2022-09-21 11:18

mattg wrote:
2022-09-21 08:00
Well here is my tale of woe...

For one of the more than a dozen websites that I host on my LAN, I had lowered security for a Graphic artist to update some of the singular web page. Just a small lowering of security, I allowed the graphic artist's IP address as allowed to access the Wordpress admin.

This may not be related to that, but then it may also be ...

This website was attacked with a RPC XML attack, and was seemingly compromised.
The attacker removed all WordPress security plugins for ALL hosted WordPress websites, added a command line plugin (remote access to the shell), and uploaded a heap of stuff including some trojans, and more, but only to the WordPress sites it would seem.

All easily fixed by restoring a backup, and closing the RPC XML attack window. Restored all sites, even the non Word-Press ones
I have a Ubuntu server running NginX as my webserver

Looking around my system, I noticed on my Windows 10 Professional machine used solely for hMailserver, an installed product called 'Remote Utilities Server' or 'RU Server'. The log files for this product were empty, and I uninstalled it and blocked the port detailed in the Registry. I've had some unhelpful discussion with their support forum, but no-one has any ideas other than what I've checked and found.

I've been sniffing around my network internally, looking for holes to fill - and finding a few like a non-standard port forwarding for windows RDP that has been targeted by a dictionary attack today.

If anyone has some ideas of things for me to check, please let me know.

uuhhhhhhhhh BUMMER

depending of level of what you are facing .. ( yes i have had rdp accessed by common world through firewall ... ) i would not rule out the possibility of being root-kitted .. have your win10 or other machines restarted without you making them... ?
block all unknown traffic out through firewall ( not just ports ) then again .. if you are targeted by dictionay attack, they have not gained "root" acces to that computer..

worst case .. plan a reinstall of server/s ( my sympathies :( )
lets cheat darwin out of his legacy, find a cure for cancer...

User avatar
SorenR
Senior user
Senior user
Posts: 5591
Joined: 2006-08-21 15:38
Location: Denmark

Re: ARP Spoofing

Post by SorenR » 2022-09-21 15:09

I run 2FA (Google) on my Wordpress since 2015 ... I usually check in on it every 2 or 3 months. Apache on Synology NAS with some work done to the .htaccess file ;-)

Just went ahead with the additional (just-in-case)

Code: Select all

# .htaccess
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
and

Code: Select all

vim wp-config.php
define('DISABLE_WP_CRON', true);
Going through my logs (last cleaned in April) I see every request for xmlrpc.php results in a 301 8)
I only have a few plugins installed in my WorkPress 1.5.4, yes old version but my NAS can't run PHP 7.
SørenR.

There are two types of people in this world:
1) Those who can extrapolate from incomplete data

Post Reply