Cyber Stalking and IpFire

So I just built a fresh install of IpFire on a cartridge SSD of my x86/64 IpFire router after getting hacked last night and 2 other times in the past.

The reason I believe this is because the first incident, my wife had 2k worth of her crypto currency stolen and the company told her it happened from our end. This is the very reason I decided I needed a firewall and chose IpFire FIRST to protect me. But this has been a long term project because I simply don’t have the time and maybe not even the smarts needed to just put this up and expect to leverage it for perfect security which probably doesn’t exist anyway.

However, I don’t believe this is a nation state or an organization doing this to me. I do believe this is either a single criminal or a group of criminals doing this to me… So I’ve been looking for help because quite frankly, I have no where near the money to pay for help, so I’m trying my best to do this on my own…

The second incident (which I was using OpenWRT at the time, yes even harder to learn) was when I went to a discord Linux group and the second I spoke up at the group, an endless loop of pop up windows from Firefox kept popping up, demanding I give it permission to use my microphone and/or camera and I had to restart everything and unfortunately, I had to leave my home for 3 weeks that day, leaving my wife on her own which scared me cause I know cyber stalkers can turn into house breakin’s and let’s just say I’m from Florida but it still scares me nonetheless.

And the third incident which has brought me to you, was a few days ago on IPfire which is compelling me to ask you guys for suggestions today on what I can do with IpFire to help me collect evidence to report this and stop this hacker at the firewall before it becomes serious as it already has…

What happened is my internet had suddenly went out for no reason and when I looked at the firewall logs, I seen pages of dropped packets from Hong Kong, China, Russia, Ukraine and the Netherlands and realized I had forgot to turn on the location blocker. So I turned on the location blocker and blocked all these multiple repeating countries and the logs slowed down significantly until the red line completely dropped and no longer worked long after the incident was over.

So when I took out my trusty ubuntu usb to test my equipment and prepare the disk for a new install of IpFire, I noticed, from the disk utility and Gparted that there was 3 partitions on the disk which I think one was a hidden partition because when I went to erase the entire thing, Linux kept telling me no it wouldn’t erase the partition but it eventually would do it and now things are working great (as there was strange slowdowns before this incident) on this new install, for now. So here’s why I’m telling you all this:

I’m not a computer science expert or have a degree of any kind in technology but I now realize I have a serious need to collect evidence and report this to the FBI so I need your help. I’ve read ALL the documentation for IpFire as best as I could but what I need from you guys is suggestions on how I can harden IpFire AND use the reporting system on here to continue to collect evidence as I already have some evidence from the stalking from facebook and telegram which are apps everyone in my house uses.

I know screenshots and Pcap files are admissible as evidence and I do understand that MAYBE I can ask the local police for help but only after I report it to the FBI’s website with the proper evidence and I need Ur help collecting it if IpFire can do this.

I am trying to build a web server and a DMZ to learn how to build web pages for small businesses. This hacker has caused me to have to set down the back end coding for 6 months of my life now and now I’m learning how to build these firewalls as a result. It’s not what I want to do but this is a serious problem in my life and it’s already caused alot of damage to my life and because it’s not stopping, I feel like I need help and your suggestions on what I can do using this firewall which could be a game changer for me and perhaps even for the criminal stalking and stealing from me who simply needs to go to jail for doing this to me and my family.

Since no one has asked this question on these forums, maybe this is a good opportunity to not just help me, but to use my experience to help everyone who decides to use this firewall to protect their SOHO/Home networks so they don’t have to go through what I’m going through. Please help and Thank you if you do!!! All Love…

HI
I read what happened to you but the first question I ask myself, are you sure that your devices are clean and are not, let’s say, infected?
because if that were the case there is no firewall that keeps you safe

I agree with the first response. You can have the best firewall in the world, but if you (or your wife) click a malicious link, are tricked to visit a malicious site, or plug an infected USB drive into your systems, you will still get owned. Firewalls are much less effective when the bad guys already have a foot in the door. Traffic initiating from the inside is much less likely to be blocked than WAN traffic coming in.

I must agree with the answers above.
IPFire is not what you are looking for right now.
First of all you need to make sure none of the devices are infected.
If you dont know how to clean up 100% i would advise you to just reinstall all
from scratch. Turn them all off and reinstall one by one.
And make sure to read up on common behaviour using internet as mentioned above, no clicking wierd links, downloading files from unknown unreliable sources ect…
Also make sure your wife or kids also know this.

Default in IPFire is all ports in are closed wich is a must.
Location block i also use and i’ve just ticked all countries simply because i dont
need no ports open. If you do then open explicitly when needed.

Good luck!

ps. English is not my native language and i appologize in advance

those all sound like great ideas… Perhaps I will have to take on the monumental task of removing the malware on the computers as well. I have all Mac’s in the house so virus removal has been pretty easy over the years. People have issues with macs, the internet has few but easy to find good solutions since Apple do run closed systems which in my experience is alot easier to maintain then windows but that’s my opinion. What else I wanted to know is:

How can I use the firewall to monitor the system, see what’s coming in and out so to speak and if u guys have any good suggestions… The FBI’s website said pCap files are admissible to their site as evidence as are screenshots and other such non-technical evidences so the screenshots could help alot if I know where on the firewall to look.

thanx for ur help guys!

If you have all macs then it might be alot easier.
Not many viruses/malware is made for macOS still so
from that point you are better off than having Windows for example.

What do you mean by what is coming in and out of the system?
Nothing is coming in that you dont explicitly allow in firewall.
As i mentioned earlied, the default setting in ipfire is DROP for incoming traffic.

You may be being paranoid. Seeing lots of dropped packets in your firewall is situation normal. If you turn on Location Blocking without logging then your logging will reduce but the firewall is dropping the same amount of packets, just in a different bit of it.

HI
I would operate in this way, I would block all outgoing traffic to all devices, then insert as a rule to authorize traffic to the various sites, from experience malicious traffic usually travels on port 443 or dedicated ports, but for this I could also I’m wrong
it’s a long and demanding job but at least you realize where your traffic goes and which devices are involved

Then, perhaps, you want something like pfSense running adam:ONE with DTTS (Don’t talk to strangers) enabled.

TBH, a restrictive outbound policy is very hard to to operate when big players such as Google have such a massive numbers of IP addresses that they actively use, so any exception you make one day may not work the next. A DNS solution would be better (like adam:ONE), but doing it yourself is tough.

Another DNS solution is the RPZ mechanism of unbound.
There are some implementation attempts, which function. But it isn’t ‘mainstream’ of IPFire at the moment.
The RPZ approach uses external lists. Means the maintenance is ‘out sourced’ to the list maintainer.

hey guys! Thanks for the responses, U guys are the best so here’s an update!! So of course I did consider if indeed I’m being paranoid until I woke up this morning and of course, the internet connection dropped for no reason again (after a fresh install, backup restore ect) and I was able to get it up again but an interesting packet came into the system and was dropped from the firewall logs and tell me what you guys think of this…

A TELNET PACKET!!! Port 23 with a nice IP address to go with it, a Verizon Business address! Thanks to your in built “whois” program, I even have an abuse line I can call but before I call, what do you guys think?

Of course, I wrote a firewall rules absolutely blocking telnet and that particular address but what else can I do with it? Should I goto the FBI website and send them the evidence? I guess I can call the abuse line provided in the “whois” output?

Or am I reading this wrong?

PS: and an address!!! Ashburn, Va!!!

Telnet (and really many) packets are commonly sprayed around on the internet. I just checked Logs->FW-Logs (Port) on my system and I see 100-200 dropped port 23 packets per day.

When you say “the internet connection dropped for no reason”, you may be assigning more meaning to that event than is reasonable. Internet connections drop for all kinds of reasons. Poor wiring, ISP maintenance, failing modem, failing NIC on computer, buggy NIC driver, etc.

One time more my ‘standard’ sentence about packets arriving at the red (WAN!) interface.
You cannot inhibit those packets. You can only drop them.
Another case are packets arriving as part of a connection initiated from the local net(s). These can be inhibited by not allowing connection establishment to these sites. ( desktop firewalls on the devices, URL filter, location block, DNS configs like RPZ )

yes, these weird events all seem to be happening on the red0 line… I have the ipfire hardened as best as I can… I’m watching the connections, the outputs of Nmap ect, the logs and yes, I do have a very old Cisco, long unsupported switch running the green0 interface that can explain alot as it has seemed to started to need some extra work to keep the ports transmitting and of course, I’m no cyber security person although I seem to be learning now… I did reset the switch and that seems to have helped and yes, I do have a tun0 running too… perhaps the switch is letting me know to start saving now cause switches are hella expensive these days to get the equivalent (it was an incredible deal at the time)… again, very grateful for your help… I’ll keep monitoring the situation but I’d rather get back to my life of course and will be more then happy to do this so long as I can properly isolate the cause and again, IpFire is helping alot!

And I will check out Unbound… and this RPZ mechanism… hopefully it’s something I can understand…

Just to check, here’s a list of best practices I use:
Firewall
-well-known hostile networks (no configuration, it’s built-in to ipfire)
-IP Address Blocklists enabled (I have every option enabled)
-Intrusion Prevention System using rulesets from Talos, EmergingThreats, Abuse.ch, Etnetera, and ThreatFox Indicators of Compromise. Enabled on red, green and openvpn.
-Location Block enabled for all countries except my own.
-enable DNS over TLS with malware blocking DNS services such as Quad9 or Cloudflare.
-Firewall rule that forces all outgoing DNS traffic through firewall. No other DNS servers may be used–they will be redirected to the firewall’s DNS servers.
-OpenVPN for secure remote access.

Email
-use email providers with good spam filtering (Gmail, Outlook.com)
-do not whitelist any addresses
-be very cautious with any links in emails, even from trusted senders. If in doubt, paste link destination in VirusTotal.

Local PCs
-use A/V software. Be very cautious about whitelisting/allowing any files.
-Ublock Origin browser extension installed on all browsers. Blocks ads and malware.
-outgoing DNS requests encrypted, filtered, and forced through firewall (see under Firewall above)

WiFi
-use guest wifi for IoT devices, guests or any wireless device that does not need to communicate with other devices on the network.

My bet is this was the cause of your internet outage. Good unmanaged switches are cheap these days. Best to invest in one. No need to get a super expensive fancy one. Something like this would suffice:

I prefer to use DNS blocking on the IPFire device via RPZ ( a feature not implemented in IPFire, yet, but @jon is working on that ).

Try to use dedicated hardware walet for trading, not your personal device,

To improve your network awareness
You need to block outgoing DNS, and force clients to use IPFIRE DNS

to monitor outgoing DNS you can setup a Pihole DNS, until IPfire has an RPZ WUI

use your pihole IP as “Primary DNS server”

image964×351 54.9 KB

and put IPFire IP as “custom1” “Upstream DNS server” in Pihole

image1267×698 70.3 KB

Then monitor ougoing Queries and if you wish, block them or subscribe to a lot of Adlists

You sould also upgrade firmware on all your networked devices,

use a DPI Deep packet encryption scanner, Block VPN servers

Hi
I suggest looking at the bitcoin company in detail. My father was scammed his life savings by what appeared to be a legitimate bitcoin broker. He paid money for bitcoin and the company gave him a bitcoin balance that kept rising as the value of the bitcoin increased, so he brought more bitcoin.

What was actually happening is that they took his money and pretended to buy bitcoin. The balance was bogus. They then installed malware on his computer (father probably clicked something on their website) and they started taking money directly from his bank account, until he exceeded his overdraft limit. Somehow they also made cash withdrawals from his credit card. When he went to cash in his bitcoin, they simply ghosted him, but not before trying to extract a service/recovery fee and taxes owed payments from him.

So if you have had bitcoin stolen via your PC, there is a good chance they left malware behind. As others have said above, you need to do a bare-bones reinstall to be confident that your network is clean.

It is good that you are making the effort to gather evidence and report the crime, You should keep doing that work. I can tell you from experience, you won’t get your bitcoin back (if it existed). Watch your bank accounts.

With ipFire, it is highly unlikely that anyone will gain access by direct attack of the firewall. It is more likely you (anyone) will invite the criminals in by clicking something on a website. Once they are “in” it is very difficult to be assured that the system is cleaned.