Protecting a VPS Server Based on Windows 2008 R2

Original author: Alex Yumashev
  • Transfer
This is a free translation of my post from my company’s blog - about how I raked up the consequences of a hacker attack on our server.

In a nutshell - my server was hacked. The attacker received the password for the FTP server and for almost 10 hours downloaded everything that the hands reached. How, in fact, the server was hacked is a separate story. In short - the hacker sent a fake support ticket to my hoster asking him to help create an FTP user. And the hoster, in general, was seduced. Not only did he create a user, and even gave him admin rights ... Correspondence between a hacker and a hoster (I managed to get hold of a copy), I - if the Habrovsk people want to - will post it, this is a separate hilarity. In the meantime, I’ll just list the steps that I took to protect my server and eliminate the consequences:

I must say right away - I'm not an admin. I am a .NET programmer. To steep labor administrators and security experts, my attempts will surely seem like babble, so immediately I ask them not to take all this to heart. But maybe I will help someone ... Just like me, a programmer who just keeps his own small server with several applications.

So:

  1. Configure lockout policy . By default, the Windows server is not protected from brute force - attacks through password guessing. A hacker can create, for example, a thousand RDP connections (aka Remote Desktop) by trying different logins / passwords. Or torment your FTP server with endless connections ... That is why it is worth setting up “lockout” - temporary blocking of the user after several unsuccessful attempts.

    We go to "Start - Run - secpol.msc - Security Settings - Account Policies - Account Lockout Policy". And set, for example, “5 attempts” and “5 minutes” - this will block the user for 5 minutes after 5 failed authorizations.

  2. Block the support user If you rent a server, for sure the support user for your hoster is configured in it. Something like “Support User” or “support_user”. Block him. Sometimes the danger comes from the hoster. And his naive Indian youths who give out accesses to the right and left. That is what happened to me.

  3. Disable FTP if not needed. If your clients or applications do not need persistent FTP, cut it down. Turn it on only when you need to upload files. And allow access only from your IP. Better yet, put the server in blind-put mode. So called servers that allow write access only . In the IIS settings of the FTP server, check “write” and uncheck “read”.

  4. Install password manager . A bunch of my friends (really - a bunch) use the scheme "one complex password - for everything." Even the familiar programmers, admins, designers ... Not stupid, in general, people. Think it over. Even for service accounts (such as database users, etc.) use only complex generated passwords. And keep them in the pass manager. Personally, I use LastPass - it's free, cool, and available as an extension for Chrome.

  5. Backup! Backup, backup of everything, always and everywhere. Create daily jobs on the SQL server that will save databases both locally and somewhere online. Even in the free MS SQL Server Express, you can create some kind of job (via Task-Scheduler).

    Personally, my backup works like this: twice a day a local copy of all the databases is made. And twice a week - a remote copy. For remote copies, I use Microsoft SkyDrive - this is 25 gigabytes of online storage. Is free. Not bad, huh? A tool for synchronizing folders is attached (called Windows Live Mesh). If you do not like MS for religious reasons - use DropBox or something else, but USE IT!

  6. Firewall Well, everything is clear here. The main rule is to "prohibit everything." Windows 2008 R2 has a pretty good firewall built in, you can start with it. Leave ports 80 and 443 open (and possibly 3389 for RDP), and that’s it.

  7. Do not use standard ports . If, in addition to the web server, you still need to set something “out” - for example, a terminal server (for the same RDP) or SQL server - use non-standard ports. Some idiotic values, like 15089.

    The terminal service port (the same “Remote Desktop”) changes in the registry here: “HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ TerminalServer \ WinStations \ RDP-Tcp \ PortNumber" (do not forget to open this port on the firewall and restart the RDP service).

    SQL Server ports are changed in the utility “SQL Server Configuration Manager” - “Network Configuraion” - “Protocols for [server name]” - “TCP-IP” - right-click - “Properties”.

  8. There is no folder "/ admin /" and other "standard" names .
    • Your site’s CMS should not be in the “site.com/admin/” folder.
    • The administrator account should not be called “administrator”.
    • Login pages should not be called "login.aspx / login.php / signin.py"
    • Etc. etc. - continue the list yourself.


Also popular now: