?

Log in

No account? Create an account

Previous Entry | Next Entry

Waiting for the crunch

Would it surprise you if I told you that my two web servers are under continuous attack? Some of you, probably. Some of you, probably not at all. Since they went on line in late January alpha and beta have been subject to round-the-clock probing from would-be attackers. No one has gotten through. Or, let me be precise no one has broken into these boxes in a way that I have detected. I spent some time and effort in building them to be secure.1 And, I spend a fair amount of time working with them and keeping an eye on them. Thus, I am reasonably confident in saying that no one has compromised them. Yet.

All of this probing is what Cheswick & Bellovin called knob-twisting. Back when they wrote the first edition of Firewalls and Internet Security2 attackers were humans trolling for easy targets. Today they're attack scripts executed by humans trolling for easy targets. They don't represent a concerted all-out attempt to crack the servers, but merely twisting the servers' electronic door knobs to see if any of them are unlocked.

In the month to now, alpha has gotten 33 bogus ftp connection attempts (mere noise) and 2,210 bogus ssh (secure shell) connection attempts. The footprints of an attack script (and the same attack script, executed from several different hosts) are clearly evident in the log. The script tries a litany of common names hoping to find one where the account actually exists on the machine and there is no password assigned.3 Beta has like numbers in its logs, and one of the external hosts I administer at work tells a similar tale as well.

Following the rule "if it isn't turned on, it can't be attacked," alpha and beta don't run any un-needed processes. That's why the attacks appear to concentrate on ssh; there isn't much else to attack. The scriptkiddies running the attacks are looking for an account with no password, not trying some complicated buffer overflow. So, there are no footprints showing attacks on sendmail, or bind. And, a quick look through the web server (Apache) logs shows only a couple of attempted attacks (aimed at Microsoft's IIS). All good news, for now.

The boxes have only been online for about six weeks -- I expect that more serious challenges to their security will be forthcoming. In a sense, it's only a matter of time. Time until some script kiddy comes along with an attack script that is looking for some vulnerability that alpha and beta have that I have not yet patched. Depending on how serious the vulnerability is, the consequences could range from defacement of the web sites hosted on those boxes, to their being owned by someone exploiting a serious breach. Till then, we watch, we patch, and we wait.




1 Building Bastion Hosts With HP-UX 11, even though it's for HP-UX, is an excellent resource for learning the methods and mindset required to construct an iron-clad server.

2 While the first edition is dated, it's freely available on-line and is still an excellent (and short) read on how firewalls work and how attacks are made over the 'net.

3 One recent attack run tried "jordan, michael, nicole, daniel, andrew, magic, lion, david, jason, carmen, justin, charlie, steven, brandon, brian, stephen, william, angel, emily, eric, joe, tom, billy, buddy, jeremy, vampire, betty, max, nicholas, robin, johnny, lucy, maria, rose, mail, god, barbara, larisa, jane..." It ran through ninety names in all over the course of four minutes and fifty one seconds.

Comments

( 3 comments — Leave a comment )
kriz1818
Mar. 1st, 2005 12:23 am (UTC)
My, how cheerful.

You just inspired me to check my Norton Personal Firewall logs, which don't show any unauthorized activities. Well, except for that mysterious svchost process that I set up a special firewall rule to block last year. Don't know how to get rid of it, but my computer is no longer contacting the DNS for a website called "Pretty Princess."

I'm not going to be taking up web servering any time soon, that's for sure. 8-D
netcurmudgeon
Mar. 1st, 2005 12:37 am (UTC)
Um, you might wanna yank that rule. Windows creates svchost.exe threads automatically to handle various functions; they're normal and they belong to the operating system.

WRT "Pretty Princess", chances are you visited there at some point and IE was looking for something from there when it loaded. IE's cached files and history can be a real cesspool of strange things.
kriz1818
Mar. 1st, 2005 02:47 pm (UTC)
Nope, it runs fine with that rule in place, and trust me, I've never visited that site. It doesn't have anything to do with ponies and princesses in poufy dresses.
( 3 comments — Leave a comment )

Latest Month

January 2017
S M T W T F S
1234567
891011121314
15161718192021
22232425262728
293031    

Tags

Page Summary

Powered by LiveJournal.com
Designed by Lilia Ahner