OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

Skip to UPDATE April 2019

hey all
thought i'd share experience with you concerning my new upcloud server.

1) aware 8.1, MS SQL SERVER Express
Within a few days, started getting hammered by the attempted logins as "Administrator" and "sa" - that stuff just pisses me off

2) Upcloud has a firewall in front of the server - I have 37 rules to filter tons of IP ranges. mostly because of...

3) IPBAN - runs as a service on Windows server.
Analyses bad logins and adds them to banlist. Been around for a while ...
http://www.digitalruby.com/securing-you ... ed-server/


Once IPBAN alerted me, I researched the location on http://geoiplookup.net
If it was in a country other than US, buh-bye via an entry in the firewall.
Reduced this nonsense to a level where I'm not paranoid about it anymore.

Changed my port for RDP.
Disabled MS SQL Administrator and "sa" and now connect from Aware with a special account.

FYI
jaymer...

PS _ I went with a 16 gig RAM server. Mark asked me why so big. I like to get on the server and run development locally. Also, I run SSMS locally. And now MS Excel has to be on there to handle outgoing Merge to .XLS files. I'm pushing 46-48% RAM usage sometimes - I'd be at +90% utilization if I only had 8gig. Would be perfect if I could get 12gig and save a few bucks. My Upcloud is costing $105/month.

--> jaymerTip
Last edited by Jaymer on Sun Nov 17, 2019 9:50 pm, edited 3 times in total.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
mrbdrm
Posts: 349
Joined: Tue Oct 16, 2012 11:44 am

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by mrbdrm »

will using cloudflare minimize the issue?
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by ACDC »

3) IPBAN - runs as a service on Windows server.
This is great for RDP and its simple to install, thanks for sharing

I wonder if the developer would consider monitoring Tomcat port 8080 and 443 . That would really make it killer
(I am thinking along the lines of getting Tomcat to output events to Windows Events logs and then IPBAN work on the events in the same way)

In my tomcat logs, I get hundreds of foreign attempts trying to sniff the setup resulting in a 404 response. It would be great to IPBAN all the 404 responses
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

yes, those assholes piss me off to... seeing if you've left a phpmyadmin file in place unprotected or just gettings 404s testing for images.

i'll contact him and see if he can do something.
OR
a simple grep/awk sequence might be able to scour OUR logs, and find those offenders (ie. no one need look for a php item on my server) and add their IPs to HIS banlist. That wouldn't involve him at all.

jaymer...
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

ACDC

I made a batch file:
findscum.bat
this is inside \aware\tomcat\logs

You can just drop a logfile on it and you're done.

inside it:

Code: Select all

grep -v favicon %1 | grep -v robots.txt | grep -v R3 > a2
grep -e "GET /img" -e "php" a2 | cut --fields=1 --delim=" " | sort -g | uniq > a3
sed s/$/\t2018-01-01T00:00:01.0000001Z/ a3 > a4
cat a4 >>  c:\IPBan\banlog.txt
Of course this could be condensed, but its clearer being a little wordy.
My AppDirectory was renamed to R3 (instead of AwareIM).
So the 1st 3 lines remove "valid" log lines for clarity, leaving only [possibly] troublesome lines to further examine.
2nd line is to examine only the "php" or "GET /img" lines - shouldn't be any of that on my system, so if you're doing this, you're a scumbag.
Thats finds lots of lines, which are then sorted and outputs only Unique IPs.
Then we add a TAB and a timestamp for IPBan.
Then append that onto his file.

final result is this list of scumbags:
50.193.24.141 2018-01-01T00:00:01.0000001Z
50.196.171.161 2018-01-01T00:00:01.0000001Z
50.242.78.14 2018-01-01T00:00:01.0000001Z
54.198.50.92 2018-01-01T00:00:01.0000001Z
64.113.101.107 2018-01-01T00:00:01.0000001Z
added to the end of his banlist.

You'll need GnuWin32 utilities to run these unix commands.
I installed to "\Program Files\GnuWin"
then modified system PATH to include: c:\Program Files\GnuWin\bin;

I figure you only have to run this once a day and the next day, all prior-day scumbags will be banned.
His program runs every 30 seconds and you could do this more frequently, but people are already hammering the server and we're doing nothing about it - at least NOW they might only hit it that 1st day and then buh-bye!

jaymer...
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
mrbdrm
Posts: 349
Joined: Tue Oct 16, 2012 11:44 am

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by mrbdrm »

that solution will not help. especially if he see that you are challenging him
he will change his ip every hour if he want to.
your server will be affected. it will take the request load ...
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by ACDC »

I made a batch file:
findscum.bat
this is inside \aware\tomcat\logs
Thanks Jaymer, this is excellent - I will get working on it .
BTW, will this monitor port 8080 and 443 - How does IPBAN no about these ports?
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by ACDC »

that solution will not help. especially if he see that you are challenging him
he will change his ip every hour if he wants to.
your server will be affected. it will take the request load ...
That's fine at least its something, I have seen some real nasty attempts in my logs
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

FYI - I've emailed him and received no reply.
It turns out that his file is rebuilt periodically... so any additions that we add to the end of the file are lost.
I think he is re-scanning the Event Logs - to rebuild the file each time.

I've blacklisted about 40 domains/domain ranges on the firewall in front of the Upcloud server - so all the foreign stuff has been blocked.
The remaining idiots trying to get into PHYMyAdmin are US-based.

I cleared all my logs and restarted his service and my banlog.txt file only has 10 lines in it for 5 days. I'm still getting hammered by the idiots but at least the entire Asian continent is cut off !!!

He has a blacklist entry in his config file. It allows for a comma separated list of IPs to blacklist.
I wish it allowed to point to a file, but it would be easy enough to translate my uniq list of IPs into a CSV list and then insert it into his Config file... just wonder how long that string can be.


ACTUALLY, just remembered, his project is on GitHub - so we can modify it.
Also, just found a file there with this:

Code: Select all

        /// <summary>
        /// Enumerate external blacklist
        /// </summary>
        /// <returns>Blacklist</returns>
        IEnumerable<string> EnumerateBlackList();
ok, how to get to that external blacklist - that would be perfect

jaymer...
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

bah,
downloaded the project.
the "external blacklist" he refers to is the CSV list inside the config file.
if I new visual C better I could change that, but I can't.
I think the best thing for us would be to maintain our own blacklist culled from Tomcat logs, and have his program read that CSV string in as if it was hardcoded in the config file.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

UPDATE April 2019

d/l from https://www.digitalruby.com/download/ip ... -download/

he has a new version coming out which will work even better. no idea how much the Pro version will be, but it will be worth it.
Just added this to a customer's server (using the free version) and within 10 minutes it had added 90 IPs to the banlist.
WOW - being hammered by the bastards... but not anymore.

I also downloaded this so I could browse the SqlLite table that contains the generated BanList.

jaymer...
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

UPDATE AUGUST 2019

IPBanPro is in Beta.
https://ipban.com/

It can self-install in about 90secs, then there is a web service for monitoring the traffic & bans.

pretty nice setup
jaymer...
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by ACDC »

Thanks for the update

Is it possible to get this working on the Tomcat ports ?
Jaymer
Posts: 2430
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by Jaymer »

ACDC
I'm not sure what that means.

IPBan works by monitoring your Event Viewer logs - searching for patterns that indicate failed/hacking attempts.
It then automatically adds Windows Firewall rules for you.
Pro version now adds a nice web front end for viewing recent activity, AND has a Datacenter version for monitoring multiple servers - and the ban list gets shared amongst them.

So it doesn't interact with any specific web server or ports.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
ACDC
Posts: 1138
Joined: Sat Jun 30, 2007 5:03 pm
Location: California, USA

Re: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud

Post by ACDC »

So it doesn't interact with any specific web server or ports.
I thought so, I get hundreds of attempts to hack into Tomcat. I have resorted to banning the IP address by manually changing the rules in the windows firewall on the Tomcat ports. But its a challenge you can imagine

It would be great if IP BAN could monitor the Tomcat logs in the same way it monitors the windows events and then based on some perceived bad behaviour in the log record set the firewall rules accordingly, It should be an easy plug-in feature upgrade.

I wonder if they would be open to adding this functionality.

It could even be a standalone utility that periodically imports the tomcat logs, makes an assessment of the suspect entries and then updates the windows firewall. A simple rule for me is ban ip address by country, this would get rid of most of the bad guys
Post Reply