I got hacked!


Recommended Posts

Ok... I have a strong security... as far as I know :) .... Can someone give me tips on making the server more secure? I am using a server without a router... Any firewall that is very strong and secure? BlackICE can't watch over proxy server... I use it to monitor the newbies only... :) My main server was not hacked... He/She only hack the XP though... The XP is the client... dunno how they manage to get to the client computer instead... all I know is he/she might have gain access to the Domain Controller account... The main server has been constantly under attack... BlackICE never notice a thing. My log shows that someone was trying to gain access to the Domain...

Link to comment
Share on other sites

Sorry,if you're running blackice, you know sh*t about security and deserve to be hacked.

Nothing wrong with MS server software, in the hands of someone with half a brain.

If you want to secure it, get another machine, attach the internet adpater to that machine, and set it up as a firewall ONLY, this means using either linux or somethnig like checkpoint.

Then all internal machines will be behind NAT.

You will then need to setup correct port forwarding to allow people to access the IIS server.

Jon

Link to comment
Share on other sites

man, black ice sucks...it'S not so good as they are talking about. check out at grc.com and read it for yourself how good blackice is and how the company who did it is handling the security problems of it.....

Link to comment
Share on other sites

Jon,

First of all thanks for the help. It was nice getting the info you've given me. I appreciated alot.

Secondly, I feel offended when you also try to flame me in the process. I say in the post that I don't rely on BlackICE, I only use it to block "newbies" from trying to play with the server. Please read carefully before you try to rant on me like that. And I don't deserve to be hacked for just using a simple firewall to monitor little things, like inbound and outbound traffic. I already know BlackICE is useless. But it does a little for blocking some info from getting into the server and monitoring the traffic.

Not all dumb people needs to deserve to be treated this way. If I was dumb enough, I would not care to ask questions. Asking questions and confirming your fault does not need to be treated like an insane person. I was asking nice enough and giving out my faults. It was not for pure enjoyment of insults.

I will take your advice tho... Once again, thanks...

Link to comment
Share on other sites

Anyway, back to the matter at hand.

If you put a machine in front of your webserver, acting as a firewall (which is effectively a router), the first rule you should great will be : Block : Adapter All : Source IP All : Destination IP :All.

Then add a rule for port 80 (webserver), FTP (21+um 20 i think, maybe 22. there is session+data, i forget which is data), and personal apps such as pop3,icq and other IMs, irc, usenet, etc.

Because you've started with the first 'block all' rule, anything kiddies do wont hurt anyway.

Also make sure you're Antivirus is constantly updated, if you have lots of client machines, take a look into using kixtart scripts to handle dat updates+engine upgrades.

Make sure you've run lockdown (an MS util) on your IIS server, and have applied the latest security roll up patch.

IIS Security is a hard thing to get right, if you want to look into it deeper, consider reading the american NSA's IIS security document. (google will find it).

I wouldnt be too worried about logging if I were you, be more concerned with prevention methods, as opposed to auditting.

If you want to test the security and patching, consider using eEyes 'Retina' security + vunerability scanner, if you fill out a form, you can get a 15day trial version which works.

I hope some of that is useful, again, sorry for the nasty comments. I hope this advice (all be it opinionated) will act as a kind of appology. :)

Good luck !

Link to comment
Share on other sites

Originally posted by Jon

Sorry,if you're running blackice, you know sh*t about security and deserve to be hacked.

Nothing wrong with MS server software, in the hands of someone with half a brain. Jon

Well it is a shame everyone is not as smart as you :-)

I see no need to flame anyone

Link to comment
Share on other sites

I've not actually used ISA, but had a good read of its help files, security guides etc.

It sounds to me like the firewall is pretty functional, it performs industry standard functions like stateful inspection etc.

I dont think you can go far wrong, there is a great support base for ISA aswell.

The only 'issue', is the fact that it is essentially a proxy as well, which looks complicated to me, although thats probably because I know nothing about advanced web-caching.

You can install it in firewall only mode.

Its probably a good bet :)

Jon

Link to comment
Share on other sites

First of all, for those that say Linux is unhackable, go to hell! My linux just got hacked this morning, and the university disconnected the machine because they said "this ip address blah blah participated in denial of service attack against the campus network this morning" Very secured Linux eh? Don't you dare say my password is weak! I have characters with upper and lower case (JKdA) plus numerical number (35325) as well as symbols (!) Besides, what's the firewall software for Linux eh? I do ssh to my machine, so I doubt that someone can use windump to cache my pass.

As for Windows platform, I am not sure how people is able to get into your computer. It is a known fact that BlackICE is useless to trojan horses. You might as well just get a free copy of ZoneAlarm to defense yourself. Your best bet is to use ZoneAlarm to catch any programs that you suspect it as a virus. Also use Norton Antivirus to scan for any virus on your computer.

Link to comment
Share on other sites

Thunder River, I disagree with almost everything you've said.

You're right in saying linux isn't unhackable.

You seem to have an issue with the fact that no personal firewalls exist for linux. Thats because Linux users recognise the futility of these programs, and rely on better firewalling, such as ipchains.

As for antivirus and trojans, both Norton AV and McAfee WILL and DO pick up trojans, test it. There is NO NEED to use zonealarm if you have a full firewall in place.

Hardware firewall + Antivirus = as good as it'll get for a home user.

Personal firewall = red herring.

If you want to argue the specifics of antivirus and trojan detection, I'm game.

Jon.

Link to comment
Share on other sites

For the time being, you might want to try WinRoute 4 (www.winroute.com).

Or maybe Tiny Personal Firewall (same address), this contains also an active port monitor, including the bandwidth used by every application/service.

(btw: don't combine these 2 on 1 machine)

Link to comment
Share on other sites

Security has to be taken seriously, as Jon has already stated, securing IIS is do-able in the hands of someone with "half a brain". You cannot go completly with the recommendations of Microsoft, dig around and see other avenues of approach, but the most important fact is that you don't want to run any "additional and unnecessary services" on this server, strip it bare, so that it's less of a target, and possibly most important, subscribe to a few security mailing lists and web sites, this will teach you tonnes and tonnes of stuff...

ThunderRiver, if your Linux box got hacked, then it obviously was not secure, or maybe not as secure as you thought.

  • Rule 6: There's always someone out there, smarter, more knowledgeable, or better-equipped than you.

Securing a box to be connected to the net takes time, patience and lots and lots of knowledge on what potential security holes there are, and plugging then with as much poly filer as you can muster.

I've had a debian firewall box on my cable link for over two years, every script kiddie and their dog have had a go at some point. It's by no means ultra secure, but it's a work in progress. But... once someone gets in, boy oh boy, are they a pain to get out! It's basically a wipe and re-install, backing any data that you feel is important.

My best advice, read, read and did I mention read. there are plenty of how-to's on the net in regards to securing both IIS and Linux boxes on the net. Use tools that you can get, free trials, demo's etc... to probe your box before it ever see's the light of a proper internet connection.

Link to comment
Share on other sites

Jon,

I have a D-Link D-L704 behind my cablemodem. The manual describes it as a router and a firewall. I ran the port scan on DSLReports.com and it says I am well protected. Do you think this is sufficient?

This is my first week with the cablemodem. I just moved my office home and installed the cablemodem. Before that I was in an office with a T-1 line and ran ZoneAlarm. I felt safe with ZA, but about once a day it would start blocking my access to innocent web sites. I'd be happy to not have to run it.

Mark

Link to comment
Share on other sites

Cub- x,

Winroute is great, I used to use it on a win2k box to perform NAT to a student house, but I ignored its packet filtering.

Tiny personal firewall is about the only 'personal firewall' I'd ever recommend.

Me-101 is dead right. There is a wealth of info about, whitepapers,faqs,who-to's, and security documents to read. Read all you can, as you read come up with a bullet list of points to address, then do it.

The only one I'd say to avoid is SANs papers. Read like they were written by a child, and um the SANs site keeps getting hacked. Says a lot :)

Mark, it depends how the router is setup to be honest. I'm not overly familier with hardware routers/firewalls.

I'd guess the traffic allowed in is pretty encompassing, because the engineer who configured the router (if one did), doesn't know what apps you will be using. In that case, I'd still feel safer running tiny personal firewall. Spend a few days checking the logs every few hours, get to know what is getting in and what isn't, then make a judgement from that data. Tiny runs perfectly silently in the background of my home pc (need it coz its a static IP).

However, you've said the machine is your office. Dont risk anything then. The data will be too valiable to risk just because some random guy on the net (me) has a grudge against zonealarm and other personal firewalls!

Again, like me101 says, read a few faqs etc.

I had a great site of homeuser guides, but i cant find the dam thing! God I'm an unorganised pr*ck ! :lick:

Link to comment
Share on other sites

Wow... so many great sugestions... I like this...

cube-x, WinRoute does not look like a robust or a higher form of security and it's small... I need share the internet and a firewall without sacrificing web hosting ability...

I have try ZoneAlarm and it just force my port to close when I don't want it to. At one time it disable my internet altogether... Don't flame me when I say this. I like to have or work with complex utility with a robust functionality without sacrificing so much service. ZoneAlarm is excellent for a firewall if you only want to use it for just simple internet browsing but not for a server.

Going back to WinRoute... I don't think it has what ISA offer tho... Can someone tell me more about WinRoute?

Jon, once again thanks for all of your infos...

me101, I take security very seriously. I have play around with ISA for so long because of it's complexity and functionality. It has many features which is hard to configure. If you set the security too high, your client computer may not have access to the internet at all. Any suggestions besides WinRoute and ZoneAlarm? What about Etrust Inet Intrusion detection CA? Is that any good?

Link to comment
Share on other sites

My suggestions:

ISA on server, AV on all machines, scripted dat update.

Winroute on server, AV on all machines, scripted dat update.

Winroute is deceptively small, its a pretty dam powerfull program, give it a look. I used it for a long time.

Jon

Link to comment
Share on other sites

Krome, dont know if you are using it, but the MS hotfix checker should be run across your server to insure it is update.

If you are going to use another machine for a firewall, I would just spend the money on a good hardware firewall, something like 501 or 506 Cisco PIX firewall.

As for IIS, make sure that you do a custom install and only install the components you need. Do not install the Help files or the Example site. There are alot of problems and hacks for those two options in IIS. But do use the lockdown.

There are checklist for the IIS servers on MS technet for securing the IIS servers. Dont follow all the suggestions but look thru it and other resources that Jon had mentioned and go from there.

Link to comment
Share on other sites

Geronimo,

I generally dont suggest standalone firewalls for one reason, cost.

As far as I'm concerned, a 486 is fine for a homeuser firewall, slap linux on it, et voila. Oviously a win2k server will take a bit more power, but I've had one happily running on a 350mhz 64mb machine at work. A firewall isn't a cpu intensive role, so aslong as its used for nothing else, there are no problems.

You can pick up these machines for next to nothing no-days, but more importantly, there is no need for a monitor etc, just use some variant of an ssh client to admin it from a nat'd workstation.

Nice and cheap, and the box can sit in a cupboad somewhere.

How much are standalone hardware firewalls atm tho, entry level and average sorta level?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.