Your security questions

[wige]

A few weeks ago, I got the brilliant idea to start a blog about security issues, posting different vulnerabilities and ways to correct these issues, essentially as a way for me to get information about security issues so I could learn how best to protect my own web sites, as well as spreading the information around so that other webmasters would be able to take that information and make their own sites more secure.

Unfortunately, I have been low on ideas after the first few posts. So, I come to you... Do any of you have webmaster or SEO-related security questions, concerns or issues that you have encountered? I will of course answer here, but this discussion will also hopefully give me some inspiration for future articles as well.

[jganders]

This question is about brute force server attacks. I'm amazed how much traffic out there is due to the kiddie-bots that ssh to your server and try to login to unix/linux boxes as root and other common accounts; by guessing passwords.
If your root password is a common word, like 'winter'. You are going to be hacked very soon. On to the question. I found a cool script that is intelligent enough to look back to see how many times a given ip address has provided failed passwords. When the ip has had too many failed passwords in a given amount of time, the script issues an apf command that bans the ip address. Yay! The script is at R-fx Networks - Internet Security Solutions - Projects » BFD. However, the brute force attacks continue un-abated from new attacking ips. (bfd sends an email to me when an ip is banned). It seems like there is an endless number of zombie computers out there issuing brute force attacks.
So here is the question.
Why isnt there a 'service' somewhere where (a script like) bfd can send the details regarding the ip banning? The service would figure out which isp owns the ip and emails the the isp abuse account. In addition, site owners can subscribe to the list and pro-actively ban the ips. It seems like the brute force attacker can easily be traced and dealt with quickly if there was central reporting.
Thanx,
Jim

[wige]

Unfortunately, with brute force attacks, the you encounter two problems. The first is that the system will never lock out the root account, because if the root account becomes locked out at a critical moment, a legitimate user can not log in to fix the problem. The second is that the attacker can jump to a proxy server as soon as the IP address is banned and continue the attack.

Creating a list of the banned IP addresses is a good idea, as it could then be shared among clients, however, there are a few issues with a centralized solution. The first is paying for the bandwidth and server space to manage the list of banned IPs, which will constantly be growing. Then, all connection requests would have to be checked against the central database. A Denial of Service attack could knock out the central database, and cause logins on all clients to fail. Finally, if I know your legit IP address, I could spoof that address, send however many bad passwords to the server, and cause your IP to be added to the ban list - although I could do that to the current standalone script, you could recover fairly easily compared to getting your IP unbanned from a third party database.

Typically, the best way to avoid this issue is to set your firewall to block all traffic to the service that does not originate from known and trusted IP addresses. Unfortunately, if you will be connecting from a dynamic IP address, this is not an easy option.

[nottheusual1]

There are services available to let you block specific geographic regions and tools to determine where attacks are occurring from, with enough info to be able to block huge IP swaths in most of the world.

As an example, our beastliest E-comm server only does business in North America, so we did some things to reduce potential problems with the enormous spam, hack-attacks, etc.:

1. Blocked all Korean and Chinese IP's - many bad things were coming from over there and this server has no reason to need to communicate with that part of the world. So, we use the files available from

Okean - The Goods

Which is a constantly updated list of thee IP's, which you can write a script that will retrieve them, daily if you wish, and reload your firewall. Solved one problem.

Second thing we noticed was that when a virus would hit the wild, we'd suddenly get hammered by "always on" home machines that were infected. To fight the problem, we'd watch for the inbound spam patterns and then go after entire CIDR blocks - eliminating huge chunks of India, Europe and the middle East very easily. This link is to a great resource that will tell you country of origin and CIDR block info (lets you block thousands of addresses versus single IP's - use cautiously):

FREE Updated IP to Country Database

Once you identify problem IP blocks, just add them to your firewall.

Not a complete answer, but an idea (a spark?) from our experiences. A couple of years into it and we're having fewer and fewer issues as we adjust.

[jganders]

Quote:

Originally Posted by wige

A Denial of Service attack could knock out the central database, and cause logins on all clients to fail.

Quote:

Originally Posted by wige

if I know your legit IP address, I could spoof that address, send however many bad passwords to the server, and cause your IP to be added to the ban list

There are centralized servers now that perform this kind of service now for smtp traffic. I'm not sure what all the issues are but I would think the issues you mentioned, and others, could be solvable if enough people discuss it.

Another thing I want to mention regarding my analysis of the 'secure' log file (/var/log/secure) on my linux box. The thing that really scares me is that I consistently get the same number of simultaneous brute force attempts now as before I installed the bfd script. There are always new ip's to take the place of ones blocked by bfd. In visually scanning the 'secure' file I found that there were never more than 2 ip addresses trying to break in at a given point in time. When a given ip address stopped trying to break in, or is blocked by my bfd, a diff ip would magically appear to take over the task. In other words, I think the attacks are centrally coordinated. (And I dont think my server is the only one being attacked.)
btw: The last 5 ban actions were against ips from Brazil, China, Guatemala, China, USA (harvard.edu). These are all probably zombiebots.

[wige]

With the centralized SMTP databases, an IP is added by nomination - several servers have to be hit with mail from the originating IP and typically even then entries are hand reviewed at least to some extent. If the SMTP database goes offline, it is not a major problem because e-mail can be delayed for some time without major problems, unlike with user logins to a system. I believe there are some IDS systems that will talk to a central database to assist in filtering, but I do not know much about how these systems are implemented.

It does sound like a coordinated attack. It is not hard to roll over IPs when one gets blocked. Most brute force software will simply move from one proxy to another. If the attack is focused on a specific service on your server, you may be able to configure the firewall to block all traffic to the port except from the network(s) where you will be connecting. This will at the very least severely limit the number of IP addresses the attacker can use.

[kgun]

Blocking individual and IP regions is easy if you are on an Apache server using .htaccess.

Take these as examples where the first part (xx.xxx.) is deleted:

# BLOCKING THE CORRESPONDING IP RANGES STARTS HERE 0/25 blocks 128 IPs while 0/24 blocks 256 IPs - Class C
deny from xx.xxx.254.0/25
deny from xx.xxx.148.0/24

There is no problem blocking the whole world yourself inclusive (and open up the IP's you want traffic from. Like only allowing emails from persons on your addresslist - I think it is possible, but have not tried it. First disallow the whole world by one deny instruction and then allow the IP (region)'s you want traffic from??). That is an informal way of setting up a customer extranet, though not so secure as a formal one.

You should use passwords more than 20 characters long if that is possible.

It should also be possible to write traps for Bots that confuse them (eg. let them into a joke portal returning with the joke. That may be very effecitvie. First it stops furhter attacks that day, then it takes time to interpret the message until next attempt. Don't make the message too short, and include some randomly composed words etc. at random visits). Is it possible to digitally identify a bad bot and send an automatic message to the hoster where it came from?

KW search:

spider trap

bad bot trap

etc.

Filtering email spam is fairly easy, even by using Hotmail (there are wholes if they are not filled) and Gmail. Now I receive less than 20 spam emails a day on my x accounts.

I had an email account that I get a lot of PayPal spam from. Then I redirected the emails to my HotMail account with a 99 % filter for a while, and now it has disappeared completely. Seemingly the MS hotmail server has a fairly advanced method (better than Gmail as far as I know) to filter and stop email spam. Great Microsoft.

I think there are three countries in the world that could close their borders (but not prevent those within the borders or those who have access to servers with internet access within the borders) without large problems (may be not China now with their large export to the rest of the world):

In alphabetic order:
China
Russia
USA

The potential for USA is there already

But please let me in or I must start pulling fish up from the ocean like many other Norwegians. In the end, may be better for my health.