Securing home server from outside attacks

[finlay666]

Just logged in to my home server this morning to see that someone else was signed in, on their xbox live account (should really have grabbed a screenshot tbh but didnt think) and on my home server, got kicked a few times until I managed to (I hope) shut the machine down from a remote connection

I will be changing the admin password when I get home tonight, is there much else I can do to disable access from unwanted sources?

I have a Windows Home Server 2011 machine and will be wanting to now lock this down as much as possible, the remoting in seems a little worrying, so I might actually just turn off the port forwarding on my router disabling all web access if I can't get this sorted out

Saw that I can add in google analytics to the remote site to track where people are logging in from, I suspect that someone has been trying to hit every machine on the something.homeserver.com range and then tried to remote in using that knowing "Administrator" is a default account

[Moby-Dick]

I'd imagine it was a brute force attack - did you have a particularly complex Password ?

[oolon]

Well that is your start disable the default administrator and create your own named admin account. Getting a proper hardware firewall would be good, if you can't handle a *nix firewall box try pfsense, use that to restrict the IP address ranges that can connect into to your server.

For example at home I have SSH for remote access, however only 4 IP addresses on the planet are allowed to access it. Boxes like servers you should restrict were they can connect to, so if someone does gain access they will not be able to transfer data from the machine easily or slip in a reverse telnet back door.

[finlay666]

I'd imagine it was a brute force attack - did you have a particularly complex Password ?

didn't before, stupid really as I should have done being an admin account (and the only one with remote access)

At least the machine doesn't have wake on lan enabled and is turned off, tempted to go home at lunch just to make sure

Oolon, I'm not that keen on needing to get more hardware, but I was thinking of installing Windows Server 2008 r2 and run the home server as a virtual machine, could I run the firewall off another virtual machine?
The thing is when I remote in I have to use {machine name\Administrator}, could I log in with just {\Administrator}? otherwise they would have had to guess the machine name too

Going to see if there is a windows way to restrict access to ports, I know the IP of my machine at work (presumably a connection from LAN would be ok?) and it's static so can restrict it to just that, could I restrict this for Remote desktop specifically?

I suspect they were trying to do more with the machine, I noticed something was else was up as mIRC was installed on it as well as them being signed on to their XBL account (why they chose to do that on a machine that stores no personal info is beyond me unless they were using my machine to do dodgy business on their end

Will disable the default admin account though, thankfully working with it offline is as simple as unplugging the network cable while I work on it

Need I need to find a decent anti virus scanner too now as well as search for spyware...

[Moby-Dick]

I know the IP of my machine at work (presumably a connection from LAN would be ok?) and it's static so can restrict it to just that, could I restrict this for Remote desktop specifically?

unless your work machine has a public IP ( which I really doubt), this wont work m'afraid - you would need to know the external IP's your work would compe from. I'd imagine if hey are of some significant size they'll use a proxy for web access - browsing to www.whatismyip.com will probably show you that IP.

[finlay666]

unless your work machine has a public IP ( which I really doubt), this wont work m'afraid - you would need to know the external IP's your work would compe from. I'd imagine if hey are of some significant size they'll use a proxy for web access - browsing to www.whatismyip.com will probably show you that IP.

I have to use a VPN client to remote in to it so I guess it's a no, the external IP I do have though from proxy

[oolon]

You could run a firewall off a VM, if you have a switch that does VLANs and trunk a nic this can be very effective. Personally I have a little solid state atom board for my firewall (11Watts), as it has dual nics etc... however due to current wiring its having to use vlans off a switch anyway so a separated box, can have very little advantage over a VM. I wish I had not bought it now!

[kingpotnoodle]

LinITX.com sell MikroTik routers, they have proper router features, in a domestic router sized package.

Very flexible, just a minor understanding of iptables required.

http://linitx.com/product/13131

I use the gigabit version of that one.

[finlay666]

Well just booted the machine up with no network access.....

Little bugger made their own windows account, installed "Fast Email Extractor" on their account (presumably read it as there is what appears to be a database file in the app data), just reset the password to see what else they did on that account

Files seem untouched which is a bit weird, but guess they wouldn't want to raise suspicion

Even weirder that they then went onto xbox.com, and had added points to an account when I logged back into it, but that was from a non private FF session, they did a lot in IE using the inprivate browsing

Looks like there is a lot on there I don't know about, the account was made a month ago, 2 weeks after the machine went up and I hadn't noticed until now

They were nice enough to include some other requests but to be on the safe side im going to install WS2008 and get some vms running

[cleaverlch]

Looks like there is a lot on there I don't know about, the account was made a month ago, 2 weeks after the machine went up and I hadn't noticed until now

Event Viewer is your best friend.

If you don't want to buy more hardware, you could always get an open source program that looks at your event log and bans any IPs attempting brute force attacks on your server.

[peterb]

At the risk of teaching you to suck eggs...

First thing is to disable all services, and then open up tyhe ones that you really need top access from the outside world. I guess you have a stic IP address on your broadband and you are using NAT on the router. That should give you pretty good protection as you only need set up port forwarding for tghe services you need - 80 for web browsing, 25 for SMTP 110 for POP and so on.

DO NOT enable TELNET of FTP unless you realy really have to!

Once you have determined which holes you are opening up in your defenses, you need to think about making those applications and the OS secure. Usually it will be a question of configuration - again restricting access to the minimum. You will need to start reading the manuals/online guidance for the app. Apache and Postfix both have extensive online guidance about securing the system.

Administration access. The holy grail of the hacker! Personally I use SSH with publioc key authentication. Only two computers in the world have the private key, and they themselves have password protection, and the key itself has another password. If I transport the key, it is in a truecrypt container so if I lose the |USB stick with it on the key is safe.

My own set up is a Linux box running apache, postfix and dovecot as external services with SSH for admin. Internally it uses samba as a file server, but the ports for that are not forwarded. I rely on NAT as the prinary defense, but I also use the Linux firwall and take care over configuration.

SSH is potentially the biggest threat vector, on a good day the attacks are under 200, the record is 50,000 in one night! I get a quite a few attacks on the apache server, but as far as I know, non have been successful, but I get logs e-mailed daily, so I can spot anything odd. I have just installed fail2ban which locks out an IP address for a pre-determined time after a predetermined number of errors/failedonnections, and that has had a dramatic effect on the attack attempts.

Not all the tools application will be available with windows or be applicable to your situation, but the principle are

Defence in depth
Block everything and only enable what you do need
Be careful about configuration - the most secure system can be blown apart by poor app configuration
Read the logs
Keep OS and apps up to date
Don't be complacent!
Read app security advice - in a Linux system, check if thay can have their own low priviledge account and make sure it is not a shell account - same goes for windows
Only use an admin account for admin - if you have remote access, make sure it is a strong password, or preferably some form of PKI/token type of authentication.

If you do run a mail server, be very careful not to make it an open relay. (I did once - in 26 hours I relayed 30,000+ spam e mails and had to grovel to my ISP) I now use SASL authentication but that doesn't prevent spammers trying!

As you are using a windows OS, given that it has been attacked, I'd be tempted to nuke the installation and start again.

[Agent]

I know they had a local account in this case, but to help against brute forces (which might be how they got in in the first place), set a maximum number of logins for the account:

gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy

And of course, change the username as that adds to the work an attacker needs to do.

[finlay666]

At the risk of teaching you to suck eggs...

As you are using a windows OS, given that it has been attacked, I'd be tempted to nuke the installation and start again.

Not at all, to be honest I was rather complaicent and paid the price (and nearly soiled myself at the shock)

(The only ports I had opened were 80 for http, 443 for ssl, the RDP port and another for streaming, luckily all other machines are off unless needed so the attack was localised as the server has no access to the other machines on the network without a different username and a different password)

I planned to, the system had a flat WHS2011 install on but going to switch that out to a Server 2008 machine hosting a Hyper-V WHS2011 install this weekend, machine isn't going back online and none of the drives are going back in until I have scanned them, I think this will give me an opportunity to pop a firewall system on of some kind, or to just back it up easily

Going to be making a proper system next time round and try to limit the potential issues to a minimum, like changing account names, rotating passwords etc

How do I go about ensuring that only a machine with a key can connect to the server remotely? Would be very interested as the only machines I would connect in with would be my work machine (I have the IP), my laptop and my main pc (usually on the same network but may be external)

I know in some areas of computing I know a reasonable amount (probably more dangerous tbh) but in things like administering a server I know I know very little and how generally insecure they are by default and the extra work needed to lock them down

[Flash477]

SSH is potentially the biggest threat vector, on a good day the attacks are under 200, the record is 50,000 in one night! I get a quite a few attacks on the apache server, but as far as I know, non have been successful, but I get logs e-mailed daily, so I can spot anything odd. I have just installed fail2ban which locks out an IP address for a pre-determined time after a predetermined number of errors/failedonnections, and that has had a dramatic effect on the attack attempts.

An easy way to prevent SSH login attempts is to change the port (same with ftp) - I change mine on each installation - never get any login attempts as they just tend to search for an open default port.

[finlay666]

An easy way to prevent SSH login attempts is to change the port (same with ftp) - I change mine on each installation - never get any login attempts as they just tend to search for an open default port.

would I set this in IIS or some other section?

Thanks for all the help, will be taking it onboard when I clean it out this weekend

[peterb]

An easy way to prevent SSH login attempts is to change the port (same with ftp) - I change mine on each installation - never get any login attempts as they just tend to search for an open default port.

Yes - but.. It is security by stealth, not really secure. It only takes port scan and the subterfuge is revealed.

SSH (Secure Shell) is available for windows - here is one (free) implementation

http://mobassh.mobatek.net/ but I haven't tried it myself

For information on using public/private keypairs with SSH

http://www.openssh.org/manual.html

You might want to read that first (lots of it) and quite a good introduction to public/private key pairs.

If you want an SSH client to run under windows to connect to an SSH machine (Linux or Mac) then Putty is as good as anything.

http://www.chiark.greenend.org.uk/~sgtatham/putty/