Server been attacked for a month now. (Info and Suggestions)

[MintyAnt]

Hey Guys,

Some background:
I have a VPS here at NFO running Windows server 2008
I love the VPS, gives me free reign to do whatever.
I've got: XAMPP and Two game servers running.

The other day, I noticed somebody was trying to Brute Force my FTP server. This means they were using a generic username like "Administrator" and using a hundred different password attempts.

This unsettled me, so I asked around, and found that I could check our a service called "Event Viewer" on my machine.

Sure enough, for the past MONTH there has been constant log in attempts on my computer, like an insane ammount, by various IP's

I took the IP's to this site:
http://www.infobyip.com/

Found they were in totally obscure places, which led me to believe they were from a proxy.

The login attemps were almost all some variation of Admin and probably a thousand different passwords.

Occasionaly they would have very strange domain names, including the same name as my VPS! These would be used as the Username instead of Admin sometimes too!

The attacks came from every port imaginable, and have begun seeping into my different applications such as FileZilla.


This whole experience is sort of scary.. but is a good lesson that this sort of stuff happens, and that your computer should be totally locked down in the areas it can be. Strong. Passwords.

I'm going to change any passwords I have now on certain applications. The one i'm worried about it Hamachi running, as it feels insecure.

Any more suggestions that I could do to watch for this or block things off?

Hope this info helps people keep their server safe!

-Minty

[germanKid]

I've seen this in Linux Administration for years. The only way to stop it is to either restrict the service they're trying to access via firewall or to make very sure you have very strong passwords.

EDIT: It's an automated script that "hackers/script kiddies (whatever you want to call them)" to gain access to a multitude of machines with as little work possible.

[Edge100x]

germanKid has it right. These sorts of attacks occur everywhere, all the time. You can try to police them manually by blocking IPs in the application, but the best ways to go are either using strong passwords, keeping current on updates, and firewalling off anything that doesn't need to be publicly accessed or might be insecure.

[Caliban55]

Another option would be to enable encrypted FTP protocols (explicit FTP over TLS). It works as well for clients, is more secure and most scripts don't take encrypted FTPs into account, plus for the initial connection clients have to accept a certificate, what scripts usually don't do.

It is easy to set up under FileZilla Server.

For an FTP server I am using pure-ftpd (Linux FTP server), which has a few nice additional features that FileZilla does not offer (virtual users, etc.).

This should not absolve you though from using strong, complex passwords (12+ random characters).

[MintyAnt]

@Caliban: Would this be a plugin for FileZilla? Or something built into the windows version?


Is there a way I can just totally block some of these IP's?

[Edge100x]

You could totally block the IPs from contacting your server with a Windows firewall rule, yes. I wouldn't really recommend this over blocking them through your application, however, as the Windows firewall adds overhead and may reduce the performance of your VDS.

You shouldn't really have to worry about these attempts unless the FTP passwords are insecure. And even if they are simple passwords that are later compromised, a remote attack script wouldn't find anything of use when it gets in, if the contents of the FTP are not executable and not web-facing. These automated scripts are looking for ways of installing spamming and DDoSing software, and such software is useless if it's never run.

[Caliban55]

I agree with John, the FTP connection attemps are not really that severe.

If you want to block the IP automatically, FileZilla Server has an autoban setting that you can use for this purpose. After N failed login attemps, that IP is banned for a previously defined time. You can find this under the "Settings" tab in the FileZilla Server menu. One step back though, you are using FileZilla Server (I just randomly guessed that, when you mentioned XAMPP, which comes with FileZilla Server)?

Under the settings, you will also find the option to enable encryption (SSL/TLS settings), you will have to enable them also under the User menu (checkbox Force SSL connection).

Attached are two screenshots for this.

filezilla_server_settings.JPG

(58.71 KiB) Downloaded 208 times

filezilla_server_users.JPG (27 KiB) Viewed 2282 times

[markg]

i have two comments about this.

with filezilla, go to the ip filter, and put "*" in the first window which disables ALL ip addresses as to access. then add your ip address or block into the exception window. that way most of the attackers just cant get in.

but your real issue is xampp. that software isnt made for production - they even say it on their site ("The default configuration is not good from a securtiy point of view and it's not secure enough for a production environment - please don't use XAMPP in such environment. ") - and has some massive security holes enabled. you are begging for trouble with that software, especially if you have the web server running. i found this out the hard way even after i closed the holes i was aware of, and now have the hacking tools i recovered from my site that they used to break in, create their own admin user id's and effectively take over the server. they didnt count on some of the independent monitoring tools i had which logged what they did, so i was able to recover the main hacking tool they used, then tested it on another system. it was made specifically for the built in security holes in xampp. they used a second tool to cover their tracks, and that one i wasnt able to recover, though i found evidence of it in the logs, including the name and a bit of what it did; pretty sophisticated stuff. i would highly recommend though that you either turn off the web server or read their site regarding security. i wouldnt have believed it if i didnt do it myself, but with the tool i recovered, it takes about 2 seconds max to break in, take over, dump any file on the hard drive, and do whatever including creating a admin user. unbelievable, but it shows you the effort put into that product due to the preditable security holes.
what i ended up doing, as i was too lazy to install the pieces i needed and tighten security properly (for hlstats:ce) was turning off the web server (the biggest issue) and then limiting access to the sql server to only a single ip address, that of another apache web server hosted elsewhere. that fixed the holes. but i was also running with a hardware firewall, so there may be even more holes open than i found.