More server 2003 lockdown goodness
I was just setting up yet another fresh Windows 2003 VPS server and decided that I was going to go absolutely whole hog on protecting this one. It’s sort of backwards to lock your computer down as you see holes. If you know they’re going to be exploited at some point, you might as well do the work now rather than hoping breeches don’t adversely affect you.
Not that I had really the time to spend doing this, but I *sure* know I didn’t have the time to spend 2-3 hours every morning doing damage control. You can read my recommendations on the previous post, Securing a Windows 2003 VPS Server.
I started off by changing the RDS port and renaming the administrator. What their bots don’t ping and get a response to, they will ignore for a while is my thought – they’ll find it soon enough. That gave me some time to start going through the RRAS setup and entering all those Chinese addresses. Still looking for a way to load up all those IP ranges/subnets if anyone has a suggestion. Probably need to go poking around a bit – inevitably there IS a way to do it.
Went through the remainder of things including setting up Apache – remember, just say NO to WebDAV. I also recommend doing it the serious way. WAMP and XAMPP are both great when you have a protected setup, but with so much done on your behalf, it’s hard to know for sure what you’ve got going on – THAT is where my bad experience with WebDAV came from.
Download and install Apache, then PHP, MySQL – whatever you need. DO go through your httpd.conf / .htaccess files with a fine tooth comb. If you have multiple IPs, I also remember to close the IPs down that you are not using at the moment – modify your “listen” statement. Change the “listen *:80” to “listen xx.xx.xx.xx:80” specifically. KNOW what you are exposing.
Spent some quality time fighting with getting a connection to a remote MySQL server – that occupied most of the day – nothing SIMPLE is ever easy. After finally getting that working right, when I got back to looking over the server, I immediately discovered that yes, hackers had already been banging on it. Since no domain name had been assigned to the server at this point, it was easy to figure out that these were bots/hackers hitting IP addresses – no one had any reason to be hitting this server for honorable reasons.
So, added a few more subnets to the RRAS and continued on.
The one thing I really didn’t go into last time was the GeoIP mod. With the GeoIP mod on any flavor of Apache – Linux or Windows, you can specifically allow only certain countries through to your webserver. Here is a GREAT resource that will step you through that process – http://www.cocea.biz/blog1.php/2008/09/02/redirect-apache-geoip-country . It really doesn’t take but a few minutes to implement this. Once you have them locked out in the .htaccess file, I’m not really sure if it’s needed – BUT if you don’t feel like specifically locking out all those subnets, then this may be the answer. So, is it necessary to have both? Probably not, BUT, I would rather have some overkill rather than any underkill. In general, I am usually only interested in US/CA traffic – maybe our friends in the UK.
When you go to download the compiled win 32 GeoIP module, the most recent version that I found for the mod_geoip.so actually is from 2009. Seems old, but works as advertised. DO make sure you test it by locking out US at some point and then trying to hit it. I set mine to NOT show that they have been locked out, but just redirect them to Google. I thought about sending them to a known infected server, but decided I was PROBABLY overthinking this LOL. Would have taken a few more lines to just send the CH hits there, but, hey, what if they WEREN’T really trying to hack me. That would just be downright un-neighborly.
So, a few more ideas on locking down that 2003 VPS server (or any server really). Keep on servin’!