We protect the VPS-server based on Windows 2008 R2
This is a free translation of my post from the blog of my company - about how I raked the consequences of a hacker attack on our server.
If in a nutshell - my server was hacked. The attacker received a password to the FTP server and for almost 10 hours downloaded everything that the little hands reached. The way the server was actually hacked is a separate story. In short - the hacker sent a fake support ticket to my hoster with a request to help create an FTP user. And the hoster, in general, fell for it. Not only did he create the user, and he also gave him admin rights ... I’ll post the hacker’s correspondence with the hoster (I managed to get a copy), if they want to have a hacker, they’ll be a separate fun. In the meantime, I’ll just list the steps I took to protect my server and eliminate the consequences:
Immediately I say - I'm not an admin. I am a .NET programmer. Cool attempts to admins and security specialists, my attempts will surely seem childish prattle, so just ask them not to take it all to heart. But, perhaps, I will help someone ... The same as me, a programmer who just keeps his small server with several applications.
')
So:
If in a nutshell - my server was hacked. The attacker received a password to the FTP server and for almost 10 hours downloaded everything that the little hands reached. The way the server was actually hacked is a separate story. In short - the hacker sent a fake support ticket to my hoster with a request to help create an FTP user. And the hoster, in general, fell for it. Not only did he create the user, and he also gave him admin rights ... I’ll post the hacker’s correspondence with the hoster (I managed to get a copy), if they want to have a hacker, they’ll be a separate fun. In the meantime, I’ll just list the steps I took to protect my server and eliminate the consequences:
Immediately I say - I'm not an admin. I am a .NET programmer. Cool attempts to admins and security specialists, my attempts will surely seem childish prattle, so just ask them not to take it all to heart. But, perhaps, I will help someone ... The same as me, a programmer who just keeps his small server with several applications.
')
So:
- Configure lockout policy . By default, the Windows server is not protected against brute-force attacks through password guessing. A hacker can create, for example, a thousand RDP connections (aka “Remote Desktop”) by trying different logins / passwords. Or torment your FTP server with endless connections ... That is why it is worth setting “lockout” - temporary blocking of the user after several unsuccessful attempts.
Go to "Start - Run - secpol.msc - Security Settings - Account Policies - Account Lockout Policy". And set, for example, “5 attempts” and “5 minutes” - this will block the user for 5 minutes after 5 unsuccessful authorizations. - Block the support user. If you rent a server, a support user is surely configured in it for your hoster. Something like “Support User” or “support_user”. Block it. Sometimes the danger comes from the hoster. And his naive Indian young men, who give out access to the right and left. That is what happened to me.
- Disable FTP if not needed. If your clients or applications do not need permanent FTP, cut it down. Include it only when you need to upload files. And allow access only from your IP. Better yet, put the server in blind-put mode. So called server, which allow access only to write . In the IIS FTP server settings check the “write” checkbox and uncheck the “read” checkbox.
- Install a password manager . A bunch of my friends (really - a bunch) use the “one complex password - for everything” scheme. Even familiar programmers, admins, designers ... Stupid, in general, people. Think again. Even for service accounts (such as database users, etc.), use only complex generated passwords. And keep them in the pass manager. I personally use “LastPass” - it's free, cool and available as an extension for Chrome.
- Backup! Backup, backup of everything, always and everywhere. Create daily jobs on a SQL server that will save databases locally and somewhere online. Even in free MS SQL Server Express, you can create a kind of job (via Task-Scheduler).
Personally, my backup works like this: a local copy of all databases is made twice a day. And twice a week - a remote copy. For remote copies, I use Microsoft SkyDrive - this is 25 gigabytes of online storage. Is free. Not bad, huh? Tools for syncing folders attached (called Windows Live Mesh). If you do not like MS for religious reasons - use DropBox or something else, but use it! - Firewall Well, everything is clear. The main rule is “to ban everything”. Windows 2008 R2 has a pretty good firewall built in; you can start with it. Leave ports 80 and 443 open (and possibly 3389 for RDP), and that's it.
- Do not use standard ports . If, in addition to the web server, you still need to put something “out” - for example, a terminal server (for the same RDP) or SQL server - use non-standard ports. Any idiotic meanings, like 15089.
The terminal service port (the same “Remote Desktop”) changes in the registry here: “HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ TerminalServer \ WinStations \ RDP-Tcp \ PortNumber” (do not forget to open this port on the firewall and restart the RDP service ).
SQL Server ports are changed in the “SQL Server Configuration Manager” utility - “Network Configuraion” - “Protocols for [server name]” - “TCP-IP” - right-click - “Properties”. - No folder "/ admin /" and other "standard" names .
- Your site’s CMS should not be in the site.com/admin/ folder.
- The administrator account should not be called “administrator”.
- Login pages should not be called “login.aspx / login.php / signin.py”
- Etc. etc. - continue the list by yourself.
Source: https://habr.com/ru/post/116769/
All Articles