Exploits and other threats

capote · April 29, 2025, 4:00pm

I run my NS8 server at home behind a UniFi gateway. This has documented a series of intrusion attempts.

PS Alert 1: Attempted Administrator Privilege Gain. Signature ET SCAN Mirai Variant User-Agent (Inbound). From: 122.97.212.133:5158, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: Web Application Attack. Signature ET SCAN JAWS Webserver Unauthenticated Shell Command Execution. From: 58.146.59.84:47946, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: Attempted Administrator Privilege Gain. Signature ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution. From: 117.194.24.98:53519, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: Potentially Bad Traffic. Signature ET WEB_SERVER WebShell Generic - wget http - POST. From: 130.61.176.83:39018, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: A Network Trojan was detected. Signature ET SCAN Internal Dummy Connection User-Agent Inbound. From: 188.166.230.249:54081, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: Attempted Administrator Privilege Gain. Signature ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution. From: 27.121.83.92:33282, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: A Network Trojan was detected. Signature ET WEB_SERVER PHP.//Input in HTTP POST. From: 87.121.84.209:56738, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: Web Application Attack. Signature ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016). From: 185.36.81.82:46674, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: Web Application Attack. Signature ET WEB_SPECIFIC_APPS MVPower CCTV DVR /shell JAWS Webserver Unauthenticated Remote Command Execution (CVE-2016-20016). From: 185.36.81.82:43728, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: Web Application Attack. Signature ET WEB_SERVER /bin/bash In URI, Possible Shell Command Execution Attempt Within Web Exploit. From: 87.121.84.209:51260, to: 192.168.3.21:80, protocol: TCP

IPS Alert 1: A Network Trojan was detected. Signature ET SCAN Internal Dummy Connection User-Agent Inbound. From: 68.183.236.23:50797, to: 192.168.3.21:80, protocol: TCP

Now I have a number of other NS8 servers directly connected to the internet, i.e. without intrusion prevention.

Is a pure NS8-Server actually protected against such attempts?

fasttech · April 29, 2025, 7:25pm

Only if you’ve installed the Crowdsec modules and insofar as any Crowdsec rules are triggered by those connections.

mrmarkuz · April 29, 2025, 8:40pm

I’m not sure if an IPS is really needed on a VPS. It’s good on a gateway to protect a whole network IMO. A blocking IPS combined with false positives leads to issues so it needs a good setup as we know from NS7.
I didn’t check all listed exploits but some are older (not working anymore on updated systems) and others are about specific apps or devices like D-Link or CCTV.

But Crowdsec seems to support suricata, see also https://app.crowdsec.net/hub/author/crowdsecurity/collections/suricata
There’s a suricata project that has instructions for podman: GitHub - jasonish/docker-suricata: A Suricata Docker image.
So it could be possible to implement an IPS in NS8…

See also NethSecurity project milestone 8.4 - #7 by mrmarkuz about the difference between snort/suricata and crowdsec.

schulzstefan · May 2, 2025, 11:14am

May I strongly suggest to use a proper configured hardware firewall? Exposing a whatever you want to call NS8 machine with an email solution or fileserver shares to the internet, is IMVHO more than unprofessional. I’d say it’s negligent.

danb35 · May 2, 2025, 12:21pm

…and setting up a mail server and not exposing it to the Internet is just silly.

schulzstefan · May 2, 2025, 9:21pm

@danb35
Not quite sure if I understand what you are talking about? I stated that a firewall is essential (in front of a server). In case you are exposing anything to the world wide web. Even if (only) port 25 to 25 is talking to each other. But - what’s your point? I don’t get it.

Of course a mail server without communication to other mail servers is silly. AFAIK all mail servers are in any kind protected - usually at first with a firewall. Did I miss something?

@capote
I’d suggest pfsense or opnsense. As a hardware firewall. Read their forums. You’ll find anything you need to protect NS8. Personally I use OPNsense.

@danb35
What’s your suggestion for the question of the OP?

danb35 · May 2, 2025, 9:24pm

You have claimed that putting NS8 on the public Internet, without putting it behind a separate firewall^[1], is “more than unprofessional. I’d say it’s negligent.” I believe you’re mistaken; I believe NS8 is adequately designed and hardened to be directly exposed to the public Internet.

In one post you say a “hardware firewall”; in this one you mention pfSense and OPNsense which are of course software. ↩︎

schulzstefan · May 2, 2025, 9:50pm

O.k. Got it.

So - Your suggestion to the OP is - doing nothing. OP don’t have to care about anything. OP is totally safe. Nethesis protects you against any thread out of design of NS8. All NS8 installations/applications are safe. No firewall needed.

Right?

IDK. For me, that’ll be something totally new in over 40 years IT.

danb35 · May 2, 2025, 10:01pm

Of course, that’s exactly what I said. /sarc

What I did say, and repeat, is that I understand NS8 (like NS7) to be adequately designed and hardened to be exposed to the public Internet. If you have reason to believe to the contrary, I (and I’m sure the others on this thread) would like to hear it. Otherwise, I’d appreciate if you’d cut the snark.

Really? In “over 40 years IT,” you’ve never encountered a server that’s designed to live on the public Internet? Because NS7 was. NS6 was. Every version of SME server (its ancestor) and e-smith Server & Gateway (its ancestor) was. Obviously all of them (and NS8) incorporate(d) firewalls to prevent outside access to services that shouldn’t be accessed. None of them have ever, in the 25-year span I’ve been using them, recommended, much less required, that they be placed behind a separate firewall.

schulzstefan · May 2, 2025, 10:56pm

Good that you understood. Really and honestly, I don’t have the time to explain why a seperate machine always should take the first hits. No matter what hits. Cut.

Never had, and still have, and will never have, a server without a hardware firewall. My point of view. You may help the OP while telling him, no need for a firewall. Good for me, I can live with that. Not my problem.

End.

schulzstefan · May 2, 2025, 10:57pm

Little personal - don’t you think?

schulzstefan · May 2, 2025, 11:09pm

Besides the question what good for is nethsecurity? (Hopefully on a seperate hardware machine with at least two nics.)

capote · May 3, 2025, 6:10am

My Server is hosted by a hosting provider. It isn’t possible to install a firewall. If could have a GB-Internet connection, I would operate the Server from home, behind a firewall.
Currently, I have to trust that the architecture of NS8 is robust enough to run it without a dedicated firewall. That was basically the core of my initial question.

danb35 · May 3, 2025, 6:01pm

No, I really don’t. I simply don’t believe that in any time working professionally in IT, much less 40 years, that you’ve never encountered server software that was designed to live on the public Internet–because somehow I have encountered such software (quite a bit of it, actually, and gave several examples) without ever having worked professionally in that field. And in fact you undercut your own argument when you recommend software like pfSense or OPNsense to serve as that separate firewall you believe to be necessary–you clearly believe that software to be adequately designed to live on the public Internet.

But you apparently don’t believe NS8 is (sufficiently) so designed, and you’re refusing to say why. And that’s very unfortunate.

Now, as I review the last few posts, I see I (in quoting you) conflated file-sharing and mail services. Those are not the same thing, and SMB (which is what I’m taking you to mean by “fileserver shares”) should never be exposed to the public Internet. You don’t need a separate firewall to accomplish this, of course; you’d accomplish this by not running that service on a system that’s exposed to the public Internet.

It’s a router/firewall. Similar in principle to pfSense and OPNsense, and somewhat similar to what NS7 provided. But I think you know that already.

But I’m wondering if there’s just some confusion as to the use case. I don’t run NS8 on-prem; like Marko I’m running it in a VPS (provided by Contabo, in my case). I did the same with NS7. There isn’t going to be a separate firewall in front of it, whether I want one or not. And because that server isn’t on my LAN, I’m not going to do LAN-y things with it (like SMB file-sharing, which I don’t think I’d ever use NS for in any event).

If I were running NS8 on my LAN, it would be behind a separate firewall–not because I believe it needs one for security purposes, but because I have one public IP and a whole network full of devices that need to use it. I could use NS7 as that firewall/router (and “router” really is the more-relevant function there), but I can’t use NS8 for that (and, like you, I use OPNsense anyway).

fasttech · May 3, 2025, 6:54pm

I think danb35 is showing incredible patience here, I find it hard to believe someone who claims 40 years in the industry would not understand what all is involved in exposing services to the www.

capote · May 4, 2025, 7:54am

I wish @Andy_Wismer could comment on this.

I adopted his concept of integrating SMB shares as external storage in NextCloud.

I’m not sure if these are already SMB shares in the sense mentioned above.

For me, they have the significant advantage that files stored in such shares always remain the property of the admin and not the respective user. They are also retained even after a user account is deleted. This is different from when they are stored in individual user folders.

mrmarkuz · May 4, 2025, 8:28am

SMB shares shouldn’t be exposed to the public internet, meaning to open the SMB port to the public so clients could directly connect.

When using a samba share in Nextcloud, it’s accessed internally.

schulzstefan · May 4, 2025, 2:41pm

@danb35

If you read all my posts you’ll find that I understand myself as a part-time-admin in my own companies. We do not make money with IT. I never claimed to be a professional IT guy. All I do and recommend is based on my own experiances with my own IT. Always on hardware, never anything in a cloud. One and only exception is a company homepage.

Firewall (at least two nics) and server always (since SME 4.x) on separated hardware. I don’t want to start a flame war about the question if a firewall is necessary or not. I simple ever used a hardware firewall (today with opnsense as OS).

my NS8 questions and reservations
my NS8 reservations

Obviously you don’t like and don’t accept my point of view. That’s o.k. for me.

FYI to my use cases/IT:

On a dedicated hardware firewall box, with > two nics, in front of my LAN there are only a few ports opend: 25 (email), 53 (DNS) and 123 (NTP). All DNS and NTP queries in the LAN (even hardcoded) are redirected to the firewall. Every needed port in LAN is configured - any other port is denied.

Access to LAN is granted with wireguard or OpenVPN (several countries or hotels block traffic except on port 80 or 443, there are ways to configure a layer4 proxy to OpenVPN 1194). Traffic from WAN to port 80 or 443 is directed to a reverse proxy with “access denied”. No wlan active. Smartphone sync only via wireguard.

On the FW is running zenarmor, intrusion detection, crowdsec, (in unbound) DNSBL are configured. Certs (let’s encrypt, challenge DNS-01) are handled from the opnsense and distributed to all machines (also correctly with a bash-script translated/modified to NS7) where they are nedded. The box has enough power to handle all this flawlessly. For me it has always been making sense to have this traffic separated from LAN (a server). Additionally we are running two piholes to restrict access to unwanted connections.

With the eol of NS7 we separated email to mailcow. NS7 is still running with AD. Only services we need, are enabled. A database for our ERP is running as a service on the server.

In the LAN we need SMB shares (very and most typical for SME) for very different OS partially very old ones. In the company we are running DOS, WINXP, WIN7, WIN10, WIN11, different APPLE OS, and a few other ones.

We have customers all over the world. Nearly 100% of the communication is data exchange with email. A lot, probably not only german, companies had and have problems with ransome viruses or any other nasty trojans. Since today we’ve never been compromised.

Fair enough - I can’t tell whether this could have been also accomplished without a hardware firewall.

As NS8 was released I explicit asked in this forum about the protection by design from ransome ware for SAMBA shares.

For me ransome ware still is the biggest thread I can imagine for business. The result was in freezing NS7 and splitting email. Besides some other considerations not to walk the NS8 path. Still today with a hardware firewall in front of a server I always used all the years.

OP was telling:

then:

later:

I agree:

I was talking from my point of view while not knowing what Marko IT design and purpose of use is. Sorry for not asking Marko before posting.

At the time I migrated from SME to NS7 we had several contact. He took a close look at my case of use and confirmed, that I don’t need his help. I appreciated his honesty very much.

No comment.

davidep · May 5, 2025, 10:47am

May I ask what considerations led to choosing Mailcow over NS8-Mail?

If it is about Firebird, you might be interested in @steve’s recent efforts:

schulzstefan · May 5, 2025, 9:18pm

Sure. As I am not willing to walk the NS8 path, my first step was to seperate email from NS7. Mailcow was a coincidence and is as good as any other email server as long as it’s easy to setup and maintain.

Next step will be to migrate NS7 to a LTS linux distro with AD support and SAMBA shares. Basically classical SME style. Easy to setup and maintain. Shoot and forget. I don’t need more. As NS7 is frozen, I have time to choose carefully. But probably it’ll be DEBIAN or LTS UBUNTU. Still having e a look at koozali…

I read this already. AFAIK not working out-of-the-box. Not willing to invest any time in something which works flawlessly since 2008 in a traditional (i.e. NS7, before SME 7/8/9) linux server distro. BTW it’s a database for our ERP - tax and legal relevant. Why should I play around?

I still need and want:

“The SME Server is oriented toward small and medium-sized enterprises (SME) and home users. It embrace the KISS principle (keep it simple and stupid) to allow a basic user to administer a server without an IT department.” Wikipedia SME server

You may also remember very old discussions from the beginning of Nethesis.

For NS8 in an above link in this thread very early is stated: no more SME. And as I’m still following this forum, I see proof - ONLY FOR ME - of my decision not to migrate to NS8.

This is my very personal point of view out of my needs and use cases - I don’t want to offend anybody. I’m sure it’ll develop in the right direction for people who have exactly the need of NS8.