How to secure my home network and computers?

[Teh Agnostic Anarco]

Long story short, been being attacked for years, even suspected hardware infections, had to change all home computers two or three times. Now I suspect happening again, even with lin installed. Whoever is doing this is not some script kiddie looking for CC or SS info. They are toying with me, yesterday typical attack where they open in 2 sec 10000000 brower windows happened, despite my hours long work trying to harden router and OS. They are getting through like swiss cheese and I really have no clue whats going on. I suspect hardware infection again dont know what part, I did have secure boot off for a while with a few distro installs so I dont know, but it can be any piece of hardware.

Im tired of this crap and fed up. All I can do is run puppy live, im afraid to install anything on a HDD whether it be lin or winbloze.

I traced some of the DST= destination IPs in router log and most seem to be coming from west coast US supposed amazon and google servers or godaddy. I suspect they are either fake or bot nets I dont know.

I found a script yesterday on duckduckgo for IP tables on router and workeed for about a min, was dropping connections instead of accepting but after they must have changed vector and log says they were ACCEPT again. I then tried to trace the new IPs, all of them were unknown or private..... Security is not my expertise im pretty green at it and learning now, neither is linux, im just a hardware guy. So I need real lin gurus here to help me out.

Of course if I have hardware rootkit it wont matter how bad I harden IP tables but I need to try.

Ill PM you the log if anyone wants to help.

[gcmartin]

You may want to entertain the idea of using this.Contact its author and follow his instructions. You will merely need to setup invasion reporting.

Only needs a manner of event capture (ie syslog) and reporting.

Could be a creation that many in this community would find great use.

May be an enormous benefit to you.

[8-bit]

If you have not done so, I would suggest changing your routers settings to not allow remote access and also to use a well thought out password for accessing the router/modem.
A lot of routers/modems have a default password and if you do not change it, anyone can access it and change the settings to suit themselves.

[Barkin]

Shields-up is a legitimate website you can use to test the security of your network ... http://en.wikipedia.org/wiki/Shieldsup

[Mr. Hughes]

Have you tried using a different router? It's possible that the routers been infected, I've had that happen once before. It drove me nuts until I figured out it was my router and not my computer.

[darry1966]

Very true 8-bit I have seen so many people not bother to change router password and change from open WEP.

[mikeb]

where they open in 2 sec 10000000 brower windows happened,

it may be assumed that you are running puppy when this happens but is it actually the case that this is happening on windows/IE?

mike

[Teh Agnostic Anarco]

First things first, WHO changed tht title of this thread? I sure didnt, originally said I needed help with IP tables in the title. Why was it changed? If it was done by an admin from here from some reason ok. Unless its my attackers doing this........

PostPosted: Yesterday, at 17:46 Post subject: Use RouterMaker as a tool to control LAN/WAN access
You may want to entertain the idea of using this. Contact its author and follow his instructions. You will merely need to setup invasion reporting.

Only needs a manner of event capture (ie syslog) and reporting.

Could be a creation that many in this community would find great use.

May be an enormous benefit to you.

Huh? The router is running tomato firmware man, Do I need that? Nor do I really understand what it really does. Im not as much as a n00b as you guys think. I hardened this router the best I could I will explain what did below.

If you have not done so, I would suggest changing your routers settings to not allow remote access and also to use a well thought out password for accessing the router/modem.
A lot of routers/modems have a default password and if you do not change it, anyone can access it and change the settings to suit themselves.

Like I said im not a total n00b, I know enough despite not being 1337, like I said Im running tomato, always spend at least 30 min configuring a new tomato flash OFFLINE with modem disconnected before going back online,

As for remote access yes I disable telnet and SSH totally, Password? Not only do I change that, but I can put a pass phrase and as well change username from default with this firmware. These firmwares are lin based period, Despite everything I do, from what you said, to changing MAC WAN port addresses almost every day to switch public IPs to try and evade them, disallowing any form of remote access period, etc... trust me I hardened the router the best I could,they are still getting through like swiss cheese. which is why I suspect something is infected, could be anything, which is why the best security in the world wont matter, any rootkit that resides in firmware is very hard to detect and loads before any OSes kernel loads during boot sequence. First thing they do is "phone home" which in turn reveals whatever you changed and you are now targeted again. Its a never ending cycle.

Shields-up is a legitimate website you can use to test the security of your network ...

Already been known about shields up, according to them my Upnp probe is all good, Doesnt matter anyways, I have UPnP off in the first place because I know having it on is a security risk, also have NAT off.

Have you tried using a different router? It's possible that the routers been infected, I've had that happen once before. It drove me nuts until I figured out it was my router and not my computer.

Different router? I have bought 2 new routers since this has happened over the years, keeps on happening no matter what I do. Even changed computers. ONLY things I didnt chage were monitors, according to forensics expert I talked he told me dont worry about monitor since DVI connections will not be able to reinfect anything they are connected to unless they are touch screen with USB. Thing is I kept one thing, our printer we use for the work side we do,.... And that uses USB..... Maybe that was infected all along. But as for as every other piece of hardware you can think of, everything was new.

have seen so many people not bother to change router password and change from open WEP.

Actually wifi radio is OFF period, after 2nd time this happened and got all new hardware and decided never to use pos shit wifi ever again. And Ill tell you why. The attacks were before coming in from both cable and wifi, someone in my neighboorhood is involved, and no I didnt use WEP which can be cracked in 2 min. Was using WPA2 AES, which according to "geniuses" can not be cracked, welll thats horse shit, a white hat forensics expert I talked to said ANYTHING can be cracked as long as enough packets are sniffed and captured. And thats exactly what happened, proof of this was that at night time, I would notice when the wifi work computer would turn off the wireless LED light indicator on router would still flash, which indicates activity..... Obviously they spooffed the MAC og my wifi rig client and were getting in, and they wrecked havoc on my personal ethernet rig through that, what im about to tell you is unbeleiveable. Was running winbloze at the time, was gaming a lot with 2 HDDs, one SSD and another regular for storage. Was noticing weird issues with windows again, same symptoms as before, any game crashing with same exception code, IE crashing as well as AV, ALL CRASHES with same exception which was cx000005 range, which according to many is bad RAM? Horse shit, I am a hardware tech and know when RAM is bad, left memtest+ running for 24 hours not one single error with memtest offline, I then read on stackexchange that that code is caused by a buffer overflow from illegal memory access. Typical signs of malware.....

At the time I was not very diligent I thought everthing was alright and it was just some baby virus so I loaded parted magic, which as you all know is similar to puppy and runs in RAM but you can wipe HDD internally to really get rid of any nasty malware that would even survive a format.

Well upon doing so I happend to open parted magics file manager to see if I can see anything weird on the drives. AND WHAT DID I FIND?

On my secondary storage drive, I found FOUR partitions I never created that windows never saw, as far as im concerned I made one NTFS partition for that drive in windows period, and parted magic found sdb1, sdb2,sdb3 and sdb4?!?!?!?!? I totally freaked out, tryed to open them to see what the hell was on them and got an error and could not mount them..... Obviously they "planted" something. Which is why Im telling you all these are not a bunch of kiddies or low lifes looking for my info or steal from me, they are trying the opposite not to take but "give" me something, or as they say in slang "plant" something on me. And the rabbit hole goes deep what happened to me outside cyber world during this period. I can not reveal it but what I can tell you is that "conspiracys" are real, but NOT the ones you see with 1 google search or let alone any well known so called conspiracy site.... all I can tell you is that 99% of these sites are run by the conspirators themselves. St. John the baptist and Elijah his previous incarnation predicted all this, tricking the world with lies and deceptions to hide the ultimate truth before armageddon, and no Im no religous nut, just look at my name, im an agnostic. I know for a fact this is being done to me by some sort of agency, I cant reveal much for personal reasons but im lucky to still be alive and what may happen in the future is beyond me. Who is behind this im not even exactly sure.

it may be assumed that you are running puppy when this happens but is it actually the case that this is happening on windows/IE?

mike

Actually mike the first time I ever saw this kind of attack is when I was living in another country on a windows machine, network was also being attacked by unknown forces, well I have my suspicions but not sure.... I had changed ISPs and to fiber optics, my ISP notified me at first that their modem had router mode disabled and had to call them to activate it, at the time I did not know much about security, but I remember doing a fresh install of windows and as soon as it went online the attack happened. I then called the ISP and they let me know I needed router mode to have firewall enabled.... I said ohh great thanks for letting me know that now after this..... Long story what happened to me over there during this period would rather not say....

As for what distro I was running when this happened currently, nope not puppy in fact puppy Is the only thing I really can "trust" right now. Distro I was running happened to be installed to a HDD, was Mint, and this was after hours of hardening router and OS. As soon as I went onine, installed all browser plugins for security INCLUDING no script, I simple went to my favorite news sites to just test viewing them and was not happy with performance, was losing too many frames. So I closed firefox and started looking for a blank DVD to burn another distro. And when I did this not touching mouse or keyboard all of a sudden it happened, a million firefox windows opened....... I was appauled, this was the smoking gun, they are obviously "toying" with me.

I then tried SUSE which I thought was great, but as soon as I went online even with apparmor ON and configured, the weirdest thing ever was happening, every 3 min my monitor would go blank as if it were going into sleep mode and then would come back on, finally it got to a point where I coudlnt see mouse cursor when it went back on and couldnt click on anything. Again I gave up.

Only distros nothing weird seems to happen are those that do not install to a HDD which are this puppy and parted magic. But like I said im not even worried about computer anymore. Im worried about router which is first link in chain, and as I type this, the WAN activity light just blinks constantly, they are hammering away. I dont know what to do. I called my ISP yesterday, had to talk to a supervisor, he didnt know much, but they were busy and at first basically he told me that its not their responsibility my security that all they do is provide me access, I got a little annoyed and started arguing with this person. I then opened router log and called him back and was negotiating to just please tell me if so and so is the MAC of your companys modem, I need to identify this. Curiously the repeated MAC that keeps showing up in log at first he claimed he did not recognize. Then hes telling me its related to a node on their network? Funny part is router lists that MAC as only other connected device on vlan2.... when in past if im not mistaken the only other MAC listed should be one of the 3 MACs of modem itself not something "outside" modem. He repeated to me yes you are probably infected but its on your end, I said no I suspect your modem or your equipment is being used as a vector, he claimed to me that no they flash my modem firmware every day and then lied and changed his story to that the firmware is flashed once a month after he specifically told me to look in log for IPs the ISP uses to flash your firmware. I then said to them, excuse me but hardware is my profession, when hardware is flashed it needs to be REBOOTED, how are you going to tell me you flash the modem every day, I dont see it rebooting every day..... Thats when he then changed his story. He was insisiting he hightly doubts anything on ISPs network is being used to attack. I told him dont be naive, just cause your stuff is propietary means nothing, in facts its easier to hack then anything open source. I even told him I was using Open DNS for example and he told me yeah but your still router through our own DNS servers.

Im totally fed up with this, I dont even trust them. I suspect they are in on this, the rabbit hole goes deep, and Im not sure "who" is doing this but I dont think its a bunch of kiddies or anyone looking to steal like I said, the complete opposite, they are trying to "plant" or use my router as a attack vector for something else. I told this to him and was furious this time and said if they come up to you saying I did so and so and I get in trouble when In reality im innocent, you will be able to prove I did nothing wrong considering you log all traffic that comes in and out of this network correct? At first he said NO, I then said ohh yeah? There are many more factors then just an IP adress that can identify someone and I think you know that... He then said ohh well yes if we were to get a subpoena and in court we should be able to prove your innocence.

Like I said I dont trust them Im tired of this crap. They probably suspect me cause they see me change IP at least once a day with my own spooffed MACs, idiots, in fact he even asked me whats the real MAC on my ethernet card.......

[gcmartin]

As you share, you have been invaded over the course of a large number of months. And, you have tried to resolve this by changing equipment on occasion. Further, you have mentioned that you taken good steps in using the router menus to close off ports and manage passwords to no avail.

If seems, based upon concerns that you raise where you feel the invaders are using your Internal resources for their benefit at your expense.

3 Questions that may help us help you

• Have you any logs that you have reviewed which gives any indication of what the threat is ?
• Have you had any firsthand accounts of anyone taking over your mouse-keyboard to make known their presence?
• Have you considered a local networking professional to help you set traps which provides conclusive evidence of the threat?

[Flash]

First things first, WHO changed tht title of this thread? I sure didnt, originally said I needed help with IP tables in the title. Why was it changed? If it was done by an admin from here from some reason ok. Unless its my attackers doing this.....

It was I who changed the title of the thread. The original title seemed much too narrow. The discussion quickly indicated that your problem seemed to be about much more than IP tables.

[Smithy]

Yes don't sweat it.

I used to think I was dyslexically mad, when I'm sure my titles like "Knight takes Bishop, Puppy to King" , were replaced with something sensible like , "Puppy and UDF writing".

I Don't think Flash is on your tail!

[Teh Agnostic Anarco]

As you share, you have been invaded over the course of a large number of months. And, you have tried to resolve this by changing equipment on occasion. Further, you have mentioned that you taken good steps in using the router menus to close off ports and manage passwords to no avail.

If seems, based upon concerns that you raise where you feel the invaders are using your Internal resources for their benefit at your expense.

3 Questions that may help us help you

• Have you any logs that you have reviewed which gives any indication of what the threat is ?
• Have you had any firsthand accounts of anyone taking over your mouse-keyboard to make known their presence?
• Have you considered a local networking professional to help you set traps which provides conclusive evidence of the threat?

1)Yes I do have logs including HDD images of all previous infections for evidence.
2)As for taking over mouse and keyboard not directly, but what I have noticed is like I explained 5000000 web browser windows opening when I wasnt even touching mouse or keyboard. Also threats in online games by unknown people who seemed to know me and even could listen in through my microphone, splicitly knew what I was offered to eat...
3)Yes I even considerered a local forensics expert but his price was too high for me to contract him. Which Is why im looking for help online.

GCmartin would you like to take a look at my logs? I havent shut router off since then and it should have every piece of info you need to see. I ran zenmap on my router to see what ports are open only two, 80 and 53 I think which are DNS and HTTP, most attacks seems to be coming through port 80, as soon as I put the IP tables script I mentioned above the attacks were dropped for about 60 seconds then later were accepted again only this time from unknown or private IP ranges. What kind of sorcery is this?!!?!?

[Teh Agnostic Anarco]

First things first, WHO changed tht title of this thread? I sure didnt, originally said I needed help with IP tables in the title. Why was it changed? If it was done by an admin from here from some reason ok. Unless its my attackers doing this.....

It was I who changed the title of the thread. The original title seemed much too narrow. The discussion quickly indicated that your problem seemed to be about much more than IP tables.

Thx for lettting me know that

[purple379]

I have seen some things that might resemble this. One is at our public library, which I guess comes in through the server, and its search engine. Possibly from the network of computers in the library, running Ubuntu. I find it needs Java to run.

I must apologize for using my experiences as a possible solution. But: I once used a "Firefox youtube downloader addon which came with a gift of opening many pages, on my Apple OS X, Lion. Likewise, it needs Java to run. To get rid of the pest I had to turn off Java in the browser. Change the settings to stop popups. Close all those Browser Windows. I uninstalled the version of Java that was in the computer, and found something else with Java in its name which I uninstalled. Blew away everything Firefox as well. I downloaded, installed, updated ClamAV. Turn off the internet connection to before starting the ClamAV. . As I found out later, this turkey, is not always classified as Malware, as you choose to install it. Some antiviruses do not identify it. ClamAV, not a resident scanner, will. However, running ClamAV, and clobbering the thing there is still not enough, as it has created a proxy connection to some site which reinstall it immediately. In my case I had to change my IP address, as well as turn off the proxy connection. I also had to reset my DNS, (at that time, to Google DNS). with some restarts, I reinstalled Java, Firefox, without the downloading addon. All was well.

You might also look at using OpenDNS, that is they have a lot of info about these kinds of issues, and have a free versions for your use. Also I suspect their tech guys are more hardware guys, who likely will talk to you for free about what to do as well.

If you have similar infected computers behind your firewall, like I have a friend who has several teenagers, and finally installed his own separate connection so he did not have chase through all their computers every time he wanted to use his banking website. However, you can verify the fix by using only one computer at a time.

There are also things like TorBrowser, which does not start with Java. Or White Hat Aviator Browser, not sure if there is a Linux version.

BTW. Which search engine do you use for your browsers, as some of them also come with these problems.

Once again, I apologize if none of this is relevant to your problem, seems like you might be at the point to consider the silly reasons this might happen. I can not offer a complete dissertation on hardening a router/computer.

There is also: https://tails.boum.org/ (905 MB iso!)

[Teh Agnostic Anarco]

I have seen some things that might resemble this. One is at our public library, which I guess comes in through the server, and its search engine. Possibly from the network of computers in the library, running Ubuntu. I find it needs Java to run.

I must apologize for using my experiences as a possible solution. But: I once used a "Firefox youtube downloader addon which came with a gift of opening many pages, on my Apple OS X, Lion. Likewise, it needs Java to run. To get rid of the pest I had to turn off Java in the browser. Change the settings to stop popups. Close all those Browser Windows. I uninstalled the version of Java that was in the computer, and found something else with Java in its name which I uninstalled. Blew away everything Firefox as well. I downloaded, installed, updated ClamAV. Turn off the internet connection to before starting the ClamAV. . As I found out later, this turkey, is not always classified as Malware, as you choose to install it. Some antiviruses do not identify it. ClamAV, not a resident scanner, will. However, running ClamAV, and clobbering the thing there is still not enough, as it has created a proxy connection to some site which reinstall it immediately. In my case I had to change my IP address, as well as turn off the proxy connection. I also had to reset my DNS, (at that time, to Google DNS). with some restarts, I reinstalled Java, Firefox, without the downloading addon. All was well.

You might also look at using OpenDNS, that is they have a lot of info about these kinds of issues, and have a free versions for your use. Also I suspect their tech guys are more hardware guys, who likely will talk to you for free about what to do as well.

If you have similar infected computers behind your firewall, like I have a friend who has several teenagers, and finally installed his own separate connection so he did not have chase through all their computers every time he wanted to use his banking website. However, you can verify the fix by using only one computer at a time.

There are also things like TorBrowser, which does not start with Java. Or White Hat Aviator Browser, not sure if there is a Linux version.

BTW. Which search engine do you use for your browsers, as some of them also come with these problems.

Once again, I apologize if none of this is relevant to your problem, seems like you might be at the point to consider the silly reasons this might happen. I can not offer a complete dissertation on hardening a router/computer.

There is also: https://tails.boum.org/ (905 MB iso!)

Thx but this is pretty irrelevant. As for Tor Im afraid your another that falls for its false sense of security. First of all its not even meant for security, its meant for anonimity, and I could really care less about anonimity I have nothing to hide Im not Snowden or Assange with top secret info to pass around. Second Tos and Tails were created by US naval intelligence and is nothing but a ruse, its exist nodes become unencrypted where at that point either criminal or worst western intel agencies can see whatever your transmititting. There are workarounds around this but I dont even bother to get into this, like I said I could give two shits about Tor network. Im more worried about securing my network from intrusion not hiding anything.

Its ok it will all end soon, Russians are already making the next chess move, Putin said so the other day with this descisive speech, you dont F)*)( with the russian bear. Billions of dollars of gas trade with the dragon. All this after for years they tried to offer murica an anti terrorist coalition but no Mr drug addict bush and idiot obama who eat hamburgers with Medveyev 6 years ago refused. Now they are going to label Russia as bad guys again? Cold War 2.0? Are they stupid? And the western euros are even MORE stupid. Medveyev is ready to push the button but no Putin is taking this very humbly as a nice game of chess and we all know they are best chess players in world. He turned his back on west and went to the dragon. And now the west is fucked. Cause as the dragon and the bear sit back and watch while these lunatic ISIL fuckers run around creating havoc who were created by the west in the first place they just watch. IF Jospeh Stalin were alive he would not allow any of this to happen, he would have squashed the neo nazi ukranianan nationalist revolt in a week and he would finish off with measly 30k tropps ISIL has in about a week, and the US says it woudl take years to finish them? My ass, thats cause they WANT them there. The Russian army numbers almost a million, chinese army numbers in the millions and so does NK. What does the US have a mere 400k? Please and as for nukes Russia alone and aniquilate all of the US and NATO in hours, they have H bombs. Yet again do not FUCK WITH THE RUSSIAN BEAR. And its already started, they already hacked the white house, what is next one will ask.

[bark_bark_bark]

First of all its not even meant for security, its meant for anonimity, and I could really care less about anonimity I have nothing to hide Im not Snowden or Assange with top secret info to pass around.

just because you don't have anything to hide, doesn't mean you shouldn't be hiding things.

[Teh Agnostic Anarco]

First of all its not even meant for security, its meant for anonimity, and I could really care less about anonimity I have nothing to hide Im not Snowden or Assange with top secret info to pass around.

just because you don't have anything to hide, doesn't mean you shouldn't be hiding things.

I dont care, like I said keep on using TAILS your just using US Naval intel tool....