If you have questions or if you want to share your opinion about Aware IM post your message on this forum
#47086 by Jaymer
Wed May 09, 2018 9:38 pm
Skip to UPDATE April 2019

hey all
thought i'd share experience with you concerning my new upcloud server.

1) aware 8.1, MS SQL SERVER Express
Within a few days, started getting hammered by the attempted logins as "Administrator" and "sa" - that stuff just pisses me off

2) Upcloud has a firewall in front of the server - I have 37 rules to filter tons of IP ranges. mostly because of...

3) IPBAN - runs as a service on Windows server.
Analyses bad logins and adds them to banlist. Been around for a while ...
http://www.digitalruby.com/securing-you ... ed-server/


Once IPBAN alerted me, I researched the location on http://geoiplookup.net
If it was in a country other than US, buh-bye via an entry in the firewall.
Reduced this nonsense to a level where I'm not paranoid about it anymore.

Changed my port for RDP.
Disabled MS SQL Administrator and "sa" and now connect from Aware with a special account.

FYI
jaymer...

PS _ I went with a 16 gig RAM server. Mark asked me why so big. I like to get on the server and run development locally. Also, I run SSMS locally. And now MS Excel has to be on there to handle outgoing Merge to .XLS files. I'm pushing 46-48% RAM usage sometimes - I'd be at +90% utilization if I only had 8gig. Would be perfect if I could get 12gig and save a few bucks. My Upcloud is costing $105/month.

--> jaymerTip
Last edited by Jaymer on Sun Nov 17, 2019 9:50 pm, edited 3 times in total.
#47165 by ACDC
Wed May 16, 2018 11:43 am
3) IPBAN - runs as a service on Windows server.


This is great for RDP and its simple to install, thanks for sharing

I wonder if the developer would consider monitoring Tomcat port 8080 and 443 . That would really make it killer
(I am thinking along the lines of getting Tomcat to output events to Windows Events logs and then IPBAN work on the events in the same way)

In my tomcat logs, I get hundreds of foreign attempts trying to sniff the setup resulting in a 404 response. It would be great to IPBAN all the 404 responses
#47166 by Jaymer
Wed May 16, 2018 4:03 pm
yes, those assholes piss me off to... seeing if you've left a phpmyadmin file in place unprotected or just gettings 404s testing for images.

i'll contact him and see if he can do something.
OR
a simple grep/awk sequence might be able to scour OUR logs, and find those offenders (ie. no one need look for a php item on my server) and add their IPs to HIS banlist. That wouldn't involve him at all.

jaymer...
#47174 by Jaymer
Wed May 16, 2018 7:50 pm
ACDC

I made a batch file:
findscum.bat
this is inside \aware\tomcat\logs

You can just drop a logfile on it and you're done.

inside it:
Code: Select allgrep -v favicon %1 | grep -v robots.txt | grep -v R3 > a2
grep -e "GET /img" -e "php" a2 | cut --fields=1 --delim=" " | sort -g | uniq > a3
sed s/$/\t2018-01-01T00:00:01.0000001Z/ a3 > a4
cat a4 >>  c:\IPBan\banlog.txt


Of course this could be condensed, but its clearer being a little wordy.
My AppDirectory was renamed to R3 (instead of AwareIM).
So the 1st 3 lines remove "valid" log lines for clarity, leaving only [possibly] troublesome lines to further examine.
2nd line is to examine only the "php" or "GET /img" lines - shouldn't be any of that on my system, so if you're doing this, you're a scumbag.
Thats finds lots of lines, which are then sorted and outputs only Unique IPs.
Then we add a TAB and a timestamp for IPBan.
Then append that onto his file.

final result is this list of scumbags:
50.193.24.141 2018-01-01T00:00:01.0000001Z
50.196.171.161 2018-01-01T00:00:01.0000001Z
50.242.78.14 2018-01-01T00:00:01.0000001Z
54.198.50.92 2018-01-01T00:00:01.0000001Z
64.113.101.107 2018-01-01T00:00:01.0000001Z
added to the end of his banlist.

You'll need GnuWin32 utilities to run these unix commands.
I installed to "\Program Files\GnuWin"
then modified system PATH to include: c:\Program Files\GnuWin\bin;

I figure you only have to run this once a day and the next day, all prior-day scumbags will be banned.
His program runs every 30 seconds and you could do this more frequently, but people are already hammering the server and we're doing nothing about it - at least NOW they might only hit it that 1st day and then buh-bye!

jaymer...
#47185 by ACDC
Thu May 17, 2018 10:52 am
that solution will not help. especially if he see that you are challenging him
he will change his ip every hour if he wants to.
your server will be affected. it will take the request load ...


That's fine at least its something, I have seen some real nasty attempts in my logs
#47244 by Jaymer
Mon May 21, 2018 11:14 pm
FYI - I've emailed him and received no reply.
It turns out that his file is rebuilt periodically... so any additions that we add to the end of the file are lost.
I think he is re-scanning the Event Logs - to rebuild the file each time.

I've blacklisted about 40 domains/domain ranges on the firewall in front of the Upcloud server - so all the foreign stuff has been blocked.
The remaining idiots trying to get into PHYMyAdmin are US-based.

I cleared all my logs and restarted his service and my banlog.txt file only has 10 lines in it for 5 days. I'm still getting hammered by the idiots but at least the entire Asian continent is cut off !!!

He has a blacklist entry in his config file. It allows for a comma separated list of IPs to blacklist.
I wish it allowed to point to a file, but it would be easy enough to translate my uniq list of IPs into a CSV list and then insert it into his Config file... just wonder how long that string can be.


ACTUALLY, just remembered, his project is on GitHub - so we can modify it.
Also, just found a file there with this:
Code: Select all        /// <summary>
        /// Enumerate external blacklist
        /// </summary>
        /// <returns>Blacklist</returns>
        IEnumerable<string> EnumerateBlackList();

ok, how to get to that external blacklist - that would be perfect

jaymer...
#47245 by Jaymer
Tue May 22, 2018 12:31 am
bah,
downloaded the project.
the "external blacklist" he refers to is the CSV list inside the config file.
if I new visual C better I could change that, but I can't.
I think the best thing for us would be to maintain our own blacklist culled from Tomcat logs, and have his program read that CSV string in as if it was hardcoded in the config file.
#50769 by Jaymer
Wed Apr 24, 2019 9:37 pm
UPDATE April 2019

d/l from https://www.digitalruby.com/download/ip ... -download/

he has a new version coming out which will work even better. no idea how much the Pro version will be, but it will be worth it.
Just added this to a customer's server (using the free version) and within 10 minutes it had added 90 IPs to the banlist.
WOW - being hammered by the bastards... but not anymore.

I also downloaded this so I could browse the SqlLite table that contains the generated BanList.

jaymer...
#51428 by Jaymer
Fri Aug 23, 2019 6:30 pm
UPDATE AUGUST 2019

IPBanPro is in Beta.
https://ipban.com/

It can self-install in about 90secs, then there is a web service for monitoring the traffic & bans.

pretty nice setup
jaymer...
#51432 by Jaymer
Sat Aug 24, 2019 3:45 pm
ACDC
I'm not sure what that means.

IPBan works by monitoring your Event Viewer logs - searching for patterns that indicate failed/hacking attempts.
It then automatically adds Windows Firewall rules for you.
Pro version now adds a nice web front end for viewing recent activity, AND has a Datacenter version for monitoring multiple servers - and the ban list gets shared amongst them.

So it doesn't interact with any specific web server or ports.
#51434 by ACDC
Sun Aug 25, 2019 10:34 am
So it doesn't interact with any specific web server or ports.


I thought so, I get hundreds of attempts to hack into Tomcat. I have resorted to banning the IP address by manually changing the rules in the windows firewall on the Tomcat ports. But its a challenge you can imagine

It would be great if IP BAN could monitor the Tomcat logs in the same way it monitors the windows events and then based on some perceived bad behaviour in the log record set the firewall rules accordingly, It should be an easy plug-in feature upgrade.

I wonder if they would be open to adding this functionality.

It could even be a standalone utility that periodically imports the tomcat logs, makes an assessment of the suspect entries and then updates the windows firewall. A simple rule for me is ban ip address by country, this would get rid of most of the bad guys

Who is online

Users browsing this forum: No registered users and 30 guests