9/24 port 502 attack

ganutenator

Lifetime Supporting Member
ganutenator
Join Date
May 2002
Location
kansas
Posts
1,440
well, i'm not for certain. 4 of our car washes got hit that had port 502 open.
I've heard of others.
Anyone else?
apparently 0's got written to registers under 300.
since closed down all the port forwarding.
currently researching on how to allow port forwarding from a specific static ip address to no avail.
 
well your router/firewall should allow you to limit traffic to/from a specific IP... but you should look at setting up a vpn or some other method of connecting to your PLC. In this day and age it is just too much of a risk and a very easy target for hackers to leave PLC devices out on the public internet.

how are you connecting to the plc? over existing internet at the site or cellular?
 
Why do you have an open port facing the internet with no restrictions? Sounds like Modbus TCP.. recipe for disaster.

As mentioned you should have this behind some sort of router/firewall/VPN.
 
Draytek do cheap ADSL routers that allow you to base port forwarding rules on source IP.

But even thats not very good security, nor very flexible.

You should seriously consider using VPN. Draytek and most other routers other than the telco "standard" ones will give you at least 10 VPN accounts.

You then either use their VPN tool or set up a VPN connection through windows networking.

I do not let a single control device go onto the net unless it is behind a VPN or protocol aware firewall.
 
Every router I've ever used allows at least some kind of whitelist for external IP address connections. Using a VPN is just as basic as insulating your wire connections.

What kind of controller are you using ? What kind of modem connection to the Internet ? What kind of router ?
 
Ken Roach said:
Every router I've ever used allows at least some kind of whitelist for external IP address connections. Using a VPN is just as basic as insulating your wire connections.

What kind of controller are you using ? What kind of modem connection to the Internet ? What kind of router ?
Click to expand...

i'd like to reiterate my big whoops. only 4 sites were affected. no damage done, huge lesson learned.

most of the routers I was given the pwd to didn't allow whitelist filtering (or maybe I didn't see it; found it under packet filtering tab on some. we need to get a static ip address first). someone said this wasn't safe. I would like to know how?

schneider m340. most car wash owners use dsl, some cable, some static, basically all different isps and modem/routers.

I never set up a VPN. Would like to educate myself on this. I know there are vpn solutions that I can throw money at, but can't.

My current solution is just to close the port, and move the default port from 502 to user defined port only when I need to upgrade and/or troubleshoot.
 
Use a VPN if you need some kind of remote access. Port forwarding is asking for trouble, ip addresses can be spoofed etc. When I say VPN I don't mean one that people use to avoid being caught downloading ****/torrents. You will want a proper VPN, where internet access is controlled and centralised. These need not be expensive, but do need to be set up by someone who knows what they are doing.

I'm mainly in IT, and I have seen this so many times, even in multinationals, where IT is not involved in these things because, territory, budgets, responsibility.

You can do this using about £250/$350'ish of Mikrotik routers and some setup time on the cheap if you have a decent broadband at your main office and would work pretty well good enough for things like remote pc access and so forth. Better performance can be had by having a decent vpn router in a datacenter were you will have a much higher speed connection, and so can do more with it, like manage everyones internet access etc, file share between site at higher speeds and so on.
 
we use team viewer for the hmi, but can't install unity pro on the customer's computer, so that is where the port 502 comes in. Supposedly VPN's put your pc on the same network virtually (that is most of what I know about vpn's), but the customer's won't want to spend the extra $350 and they aren't technical enough to even turn it off and back on again.

If I could do some sort of team viewer remote dongle thing like Ken did. hmm...
 
How many of these sites do you have?

Nothing wrong with fixed IPs. In fact if you had one at your office, you could configure the remote site routers to initiate VPN connections to your HQ. Each end would have a unique subnet i.e. site 1 is 192.168.10.x, site 2 is 192.168.11.x etc.

For new systems you can include the VPN router in the cost.

For existing clients, well I don't know how you break it to them but it is definitely a security concern. With port 502 open, anyone with a copy of unity could get in there and load a rogue program.

Security via obscurity is also not a good approach. There are port scanners available that can figure out what service is on the end of a port by the response it gets back from data sent to said port. Simply changing the port number doesn't protect you from anything other than a specific modbus war-dialing attack.
 
Just to clarify for you ganutenator, the figure I quoted above was for 4 client sites and an office/hq type deal. the cost per client would only be about $40/$50 for a router, plus whatever you are charging on top. peanuts really, and would not only provide better security but also better access for your support services. I would argue that it is not something that should be optional even, it should be mandatory.
 
supportingit said:
Just to clarify for you ganutenator, the figure I quoted above was for 4 client sites and an office/hq type deal. the cost per client would only be about $40/$50 for a router, plus whatever you are charging on top. peanuts really, and would not only provide better security but also better access for your support services. I would argue that it is not something that should be optional even, it should be mandatory.
Click to expand...

this forum needs like buttons. why can't it work like fb?
 
Take a look at some vpn switches and what they offer. I know this an older post but I just had to mention them. I used them for a number of years to get dedicated VPN connections to customers PLC/HMI systems and they are not that expensive. They are easy to set up and the response time is really quick.

I have used the e won switches in the past as well as spectrum switches. They both would do what you need.

Just something to think about.
 

Similar Topics

ganutenator
VPN instead of fwd port 502
I usually just forward port 502 to the plc so that I can connect remotely. All I have on the router LAN is an HMI and a PLC running a car wash...
Replies
7
Views
3,051
gartut
G
K
use Simotion D ethernet port as gate to access S7-1500 plc program
Can we use a Simotion D455 ethernet port x127 as a gate, to access S7-1500 plc Tia Portal program ? In the Simatic manager, we used Netpro to do...
Replies
2
Views
68
mk42
M
K
RS485 Modbus RTU using PC com port in Twincat 3 issues
I'm trying to control a device via MODBUS RTU and the ModbusRtuMasterV2_PcCOM in Twincat 3. I've configured a device with the right com port and...
Replies
6
Views
130
Kroket
K
N
InTouch 2014 Export
Trying to export a Modern application for an upgrade to Intouch 2020 but I cannot export the application from the 2014 version because the export...
Replies
2
Views
103
NewPLCuser2024
N
Cotafam
Issue with port 44181 Opening
Very similar issue as the last post I had here with communicating our Linux Gateway to an AB CompactLogix controller. I have assigned a gateway...
Replies
7
Views
170
Cotafam
Cotafam
Back
Top Bottom