So how do you go about blocking hackers from your Windows 2003 web server or VPS?
If you really don’t need a Virtual Private Server (VPS) or dedicated server, I really suggest using shared hosting. That puts the responsibility on the actual hosting company – DOESN’T mean that they’ll do a great job at protecting you, but at least you don’t have to worry about that which you can’t do anything about. However, when the security is in YOUR hands, you can do some serious frittering of hours protecting your stuff.
As I mentioned before, I always seem to be getting pounded on by hackers – particularly Chinese and Korean hackers. Let’s hit on a few topics that might make your life easier going forward.
- While it may be nice to do the “Chicken Little” thing and NOT see what is going on with your server, it’s a recipe for disaster. Enable auditing of failed logon attempts by going into “Local security policy” from your Administrative Tools. Go into Local Policies => Audit Policy. Change your “Audit account logon events” to Success/Failure and ditto on “Audit logon events”.At least now you’ll be able to SEE when you’re getting banged on by hackers. Go to event viewer to see what’s going on. It WILL be unnerving to see the activity if your server is anything like mine. Once you see the frequency of hacker probes/hacker attacks – you’ll likely want to rush through the rest of these suggestions.
- As everyone ALWAYS says – use strong strong passwords – for every account. “Abc123” isn’t going to cut it. I see scripts running up against my server using usernames “Admin” and “Administrator” continually and I’m sure they have a number of common passwords preloaded in those scripts. As the only account on the server that won’t do an automatic lockout after x failed login attempts, this is the way to brute force one’s way into a server. I suggest using a nice long phrase that you remember – “iLikehamandeggsforbreakfastat8am”. Now THAT kind of password will just realistically NOT get hacked real quick. And not by a dictionary attack. Don’t use your pet names that you have on Facebook either – unless maybe you’ve named your dog “horatiohornblowerthethird” and even then throw in a number and/or some caps and maybe punctuation character. “Fido” is NOT secure. Ditto on your kid’s names.
- Rename the Administrator account? Jiminy, I don’t know, I see people saying yes and no to it. It’s a known account with a particular UID associated, so any good hacker is going to know the deal. However, in MY mind, why provide a training resource for someone who DOESN’T know what they’re doing? I change mine.
- Get rid of unneeded services such as “File and Printer Sharing for Microsoft Networks”. Unless you are trying to map out to a VPS, which I would say is a bad idea, get rid of it. It only gives a hacker an opportunity to bang up against THAT service for a while. Testing indicates that you can’t get rid of the “Client for Microsoft Windows” without throwing an RPC error when you try to logon.
- Speaking of which – Just say NO to WebDAV! Really, if you need WebDAV, I say you’re on your own. Unless you take some time learning how to really lock it down (and I haven’t), just get rid of it. I discovered this particular security hole when I found a new user named “TECH” on my server one day – and then found the WebDAV folder containing a pretty spiffy file called “temp.php” in the WebDAV folder that likely enumerated every little thing about my server. VERY unnerving.
- BE OBSERVANT! As above, I never would have noticed if I hadn’t been rather vigilant on my services and such. Keep an eye on your Terminal Services Manager – make sure someone ELSE isn’t connected. Look for new files that you didn’t put there. Your server is NOT a toaster – at least not when it’s on the internet – and it requires monitoring.
- If you have a multiple IP address setup – disable listening on them if you are NOT using them. Again, it all comes down to reducing your attack surface. If you have a few different things going on in your server, use the HttpConfig.exe tool from the Windows Server 2003 tools package to limit your webserver listening to multiple IP addresses.
- If you are using Apache on your setup, you can control web access via the .htaccess file. For example, a number of sites on one of my servers are dedicated to local businesses – I really doubt someone from China is going to be using a local dog groomer or even needs to know that they are there. It would be nice to leave everything open so it could be seen by everybody, but why worry? Close it off.You can find some great information over on http://www.wizcrafts.net/ for limiting visitors by IP. Here’s another good resource using some of the Apache mod tools – GeoIP Apache API.
Remember that the .htaccess cascades. So if you have a fairly restrictive set of rules at the root of your document directory, you can continue to fine tune it as you go down into subfolders. For my local sites, I keep a fairly restrictive setup in place at the top of the heap. Also remember if your site is several layers deep, every request WILL look for an .htaccess file in every parent folder up to root – does have the potential to really bog things down.
- Live, learn, and LOVE RRAS. While Linux users have all grades of helpful tools for limiting access, Windows users – not so much – unless you learn what Remote Routing and Access service can do. If you take the time to setup your RRAS then you generally don’t even have to worry about the web access config. If your wannabe hacker doesn’t get any response at all, then they obviously can’t even get to potential security holes. VERY helpful.It is gratifying to be able to slam the door shut on them via RRAS. I had to go through several hours of research to find the necessary info to set that up properly. Start with a good Google search on setup RRAS. If you’re trying to slam the door on a hacker banging on your server – look specifically for “inbound filter” information. If those packets just get dropped, there’s NO surface.Here’s a quick video of how to setup the RRAS component for Windows 2003 server to block a particular IP. You can ALSO block entire subnets if desired. The video shows just a single IP, but if you want to block out a subnet or a number of them – such as all of China – just be prepared to do a lot of entering “New”.