Posted on: August 14th, 2010 by Famous Phil

Today’s topic was sparked by a recent influx of worms attempting to take over one of the public servers that I manage.  Basically, I constantly get log notifications for the firewall (yes, I actually read logs!) saying that all these attack signatures are being detected against programs running on one of my servers.

These programs are IIS 7  (web server, Internet Information Services) and MSSQL Server 2008 R2 (Microsoft Standard Query Language Server).  In the past when I ran my own computers on an un-firewalled internet connection (public wi-fi, home DSL), with home security software installed (like Norton 360), I have also noticed these types of log messages and popup warnings.

Most people (I’d estimate at least 50%) probably have some sort of broadband, un-firewalled, connection setup in their home that is directly connected to their computer.  Most people probably subscribe to some security solution like Norton 360, and they probably run some sort of firewall.  Normally, these firewalls catch all the bad stuff that can harm your computer, but stuff still could potentially come through.

Although there will always be loop holes for these security vulnerabilities, there is another means of protection that most people would NEVER think of!  If you’re thinking Wireless router from the local Wally World (Wal-Mart), you read my thoughts. Yes, Wireless routers don’t just share an internet connection wirelessly like most people think.

So what else does a wireless router do?  A wireless router is simply a ROUTER with a wireless ability built into it.  Routers are complex pieces of engineering that connect many computers together.  Without getting into too much detail, routers connect two separate networks together to bring multiple endpoints together.  The internet has many subnets that are connected to each other through routers. Think of the telephone system when I mention this, more specifically area codes and dialing prefixes.  The area code for Matthouse is 716, the prefix is 584.  So 1-716-584-xxxx gets routed to a particular telephone.   In my example, when you dial the full number, 1 means connect to the main US router which knows all the US phone area codes.  Next, 716 means connect to the router which  handles the Western New York area prefixes, then finally that router sends the call to the router than handles the 584 prefix.  That router then is practically directly connected to the xxxx number which will ring a phone and help establish your connection.  The internet is connected in a similar fashion.

Traffic is sent in internet packets that run on a certain port number.  For simplicity, a port is required to connect to a computer.  Computers listen on ports for connections and there are 65535 possible ports.  You might think of a port like a way to get to your house from the road at your address.  Each drive way is a unique path in and it accepts only a certain type of car.  Hackers tend to send a car into that drive way that acts and looks like the car it accepts, but once it’s in, it can cause havoc in your home (computer).

So what am I getting to? Routers connect different networks, so they inherently have to forward all the traffic from one network to another, including all the ports.  Since ports are easy ways to get into your computer (provided your computer is actively listening / accepting on that port), hackers tend to go for these ports.  Some ports on web servers (like port 80) are absolutely necessary to leave open, but other ports like 5109 (which happens to be the AOL Instant Messenger port) probably isn’t needed on that web server.   For a home computer, blocking all the ports inbound to the computer is probably smart, while allowing all the outgoing ports from the computer to the internet.

NOTE: I probably should add that with outbound connections through firewalls, if you request something from an external source (say a webserver) while having all incoming connections blocked, you will still get the response from that external source.  Firewalls are smart about allowing replies back through while blocking all new connections that are probably hacker initiated.

BOTTOM LINE: All computers have different needs. A wireless router when added to your network will block all incoming ports by default and allow all outgoing connections on all ports.  Therefore, by adding one of these cheap boxes, you’re not only gaining a wireless network access point, but you’re also protecting yourself from the nasty dangers of hackers that probe computers for open listening ports.  Since many ISPs provide un-firewalled public IP addresses to residential customers, those customers would be wise to install one of these routers.  Who knows, it might save their computer from a severe attack from a hacker some day!  I’ve also found that when I run a firewall in terms of a router, I don’t need as much protection from Norton 360 on my computer, so I basically have a faster computer (it isn’t working on blocking bad stuff anymore).

Hopefully this helps you!

Tags: Firewall, wireless router
Posted in Technology
|| 11 Comments »

Posted on: February 28th, 2010 by Famous Phil

As of late, I’ve been focusing many of my efforts into Windows more than on Linux.  I suppose my only reason is because my Windows administration knowledge is quickly becoming outdated, but it is also because I spend 99.9% of my time developing and administrating Linux based machines.  I am usually under the impression that Windows makes stuff so easy with the “next next next finish” principle, but Windows has just as many problems as Linux does, it just does not make them evident until you actually want to do something with Windows technology.  The only great thing about Windows is that normally, the fix is 99 times easier than the same type of fix on a Linux based system.

Over the past couple of months, I’ve been wanting to put together a Windows based web server for myself.  Its purpose was originally to keep my Outlook 2007 application on Exchange open (to update my website calendar / update my webmail RSS feed folder).  I’m beginning to run other stuff on the server (e.g. my instant messenger) so that I can have a better online presence (lets face reality, email isn’t as live as some of my friends would like).  Since I chose to run Windows Server 2003, I decided that it might be worth my time to enable Internet Information Services and work on developing some ASP based web applications just for the fun of it.  Of course, when the time is right, I will open up a few more accounts on the server through Matthouse for others who share my desire to learn ASP for fun.  For those of you who are wondering, I’m waiting for a good billing system to come along, I have one, I’m simply waiting on the developer to make a few changes.

Anyways, today I was playing around with the server and I enabled FTP publishing so that I could easily upload a few files to the server through my local computer.  Unfortunate for me, going to the windows components page under the control panel’s add/remove programs section to add FTP Publishing wasn’t enough.  Sure enough, the server did install FTP and made it available in the Internet Information Services Manager section of the computer management console.

After I deleted the default ftp site and made a new site with isolated user home directories, ftp didn’t work correctly.  Note that this server does not connect to nor run Windows Active Directory, so all the accounts are local.    Anyways, after some research, I found that under the ftp root, I needed to add a folder called “LocalUser” and then I had to add the username of the account under that directory.  To ensure that other users could not read files / data the directory, I changed permissions on the user folder to allow only that user and administrators access. At this point FTP began to sort of work!

I say sort of work because FTP only worked in active mode, meaning the Windows Firewall was getting in the way.  After spending a few minutes looking for a solution, I figured that I would try adding the internet information services executable to the exceptions list.  Sure enough, this fixed the passive mode problem.  The steps I took to fix the problem were: 1. open up the Windows Firewall control panel console under the Windows control panel.  I went to the exceptions tab and added a problem.  I browsed for additional programs and added “C:\WINDOWS\system32\inetsrv\inetinfo.exe” to the exceptions list.  After this was added, passive mode worked as expected.

Although Server 2003 is outdated by now, it is still a very stable system to do any experimental work on, which is why I choose to run it over a better and never version of Windows.   It is also much cheaper to run than a newer version of Windows like the current Exchange Server which is running Windows Server 2008 R2 Datacenter.

Tags: Firewall, FTP, IIS, Microsoft
Posted in Hosting / Server Administration
|| 2 Comments »