Drastic Measures - Blocking all Chinese requests
-
I like this idea. :thumbsup: Unfortunately, my IP address would be involved and homeland security might come knocking on my door! No thanks! I'd rather redirect them back to one of their own ghastly web sites. :laugh:
"Go forth into the source" - Neal Morse
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
I seem to get a fair bit of suspicious activity from Russia (and, strangely, Florida), though I haven't resorted to blocking large IP ranges yet.
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
Nasty. On a related note, my router shut down my Internet connection last night. I was doing completely legitimate stuff on a website, but I had manually opened up a a lot of tabs with pages on the site. Bam!!! Hold the phone, my router said. You might be experiencing an attack. :~ There was no harm done, but nice to know it works in case something like that should happen some day. :) Soren Madsen
"When you don't know what you're doing it's best to do it quickly" - Jase #DuckDynasty
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
-
Nasty. On a related note, my router shut down my Internet connection last night. I was doing completely legitimate stuff on a website, but I had manually opened up a a lot of tabs with pages on the site. Bam!!! Hold the phone, my router said. You might be experiencing an attack. :~ There was no harm done, but nice to know it works in case something like that should happen some day. :) Soren Madsen
"When you don't know what you're doing it's best to do it quickly" - Jase #DuckDynasty
-
It had ocurred to me to try and block the attacks at the router, but my device has no 'blacklist' config available. Where do you get such a 'smart' router?
"Go forth into the source" - Neal Morse
-
Or a real juicy russian porn site...
If your neighbours don't listen to The Ramones, turn it up real loud so they can. “We didn't have a positive song until we wrote 'Now I Wanna Sniff Some Glue!'” ― Dee Dee Ramone "The Democrats want my guns and the Republicans want my porno mags and I ain't giving up either" - Joey Ramone
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
Way to lose 1.3 billion customers, who, apparently, were happy.
I wanna be a eunuchs developer! Pass me a bread knife!
-
Ever since that dreadful morning when I discovered the invisible iframes attached to most of the static web pages at both my web host, and an internal web/ftp server, I have been keeping close tabs on the ftp server logs, especially the internal server. The evidence is in the logs...relentless, brute force attacks and dictionary attacks, often lasting for half an hour or more. After a month and a half of tracing the offending IPs, I can report that about %80 trace back to China. I just retrieved a list of all (99.5% stated) Chinese IP addresses. A quick conversion to IP and subnet that IIS 7.5 can understand, paste into the ipsecurity section and they can go elephant off! :mad:
"Go forth into the source" - Neal Morse
Ok, now you guys have me worried. I am not that familiar with all these techniques used to gain access. I have a Small Business Server in the home office open for remote access (File Sharing and RDP) and ports on my main machine open for RDP. What should I be monitoring to catch anyone trying to hack in? Can you point me to a good thread or resource with more information so I can rest a little easier? Thanks!
--- What I need is a really cool signature here! ---
-
Ok, now you guys have me worried. I am not that familiar with all these techniques used to gain access. I have a Small Business Server in the home office open for remote access (File Sharing and RDP) and ports on my main machine open for RDP. What should I be monitoring to catch anyone trying to hack in? Can you point me to a good thread or resource with more information so I can rest a little easier? Thanks!
--- What I need is a really cool signature here! ---
The server logs are the biggest hint. Get into the habit of checking the FTP logs. You can tell by the size if it's been under attack. Best practices depend on the type of FTP server and version you are running, but definitely rename/disable the Administrator account on the server, and use strong passwords. (common sense) I noticed several times in my logs that they also try to use the 'Administrateur' account. :laugh:
"Go forth into the source" - Neal Morse