My father's office's server is under constant attack, suggestions?

TheSonicRetard

My dad runs a local business server from his office, and he has Bullgaurd anti-virus to help him detect various spyware. Recently, bullguard has begun detecting hundreds of "attacks" each day. He uses remote desktop so he can access his server from home and he's getting very paranoid about what these attacks could be.

Here is a screencap of one such notice:



Doing a reverse-DNS look up of these "attacker IPs" (each attack has a different IP) reveals the following info:



the vast, vast majority of these "attacks" are reported to either come from China or Romania.

My dad called Bullguard and asked what they suggested, and they suggested he unticked a box in the settings labeled "block unsolicited ARP packets." He did for a bit, but then got paranoid and rechecked it. Additionally, he went through and checked every box in the "attack detect list" without really knowing what they did. He said that once he checked everything on the list, the number of attacks per day increased from about 4 or 5 to well over 100. Here's a list of options he has checked:





My dad is very sensitive about the information on his server. if it got out, it could potentially ruin his business. I guess my questions are, first, what exactly are "unsolicited ARP packets," and why did they suggest unchecking the box to detect them. Second, are these legitimate attacks? Should he be concerned? How can I stop them? And finally, what would you guys suggest to ease his mind. He has a router in his office so I can fiddle with the firewall if necessary.

I'd really appreciate any help.

xzzy

The most reasonable solution is to get a real firewall between his server and the internet. He makes this second piece of hardware (it can be another computer or a purpose-built firewall, really depends on budget) as secure as he can.. no open ports, no software installed, nothing other than what he needs to do his job.

Basically it sits as a buffer between his important stuff and the internet. He can set up port forwarding or maybe get a VPN solution so that he can get to his server, but no one else can. Needs to be limited to only accept connection from trusted IP's.

In the purest sense, as long as his system is up to date on all the newest patches, these "attacks" aren't all that serious. They're mostly probing for vulnerabilities and he'd probably be fine. But if securing the data on that server really is "business critical", then he needs a firewall protecting it, and not one of those shitty software firewalls you can install in Windows. Let people hack the firewall, he can afford to lose that for a day or so.

NailbunnyPD

Without knowing many details about your father's network, it would appear there is no (or insufficient) firewall protection on the internet connection. According to their website, Bullguard is software antivirus, and typically, software isn't sufficient firewall protection for a business.

DigitalSyn

Looks like they are just doing port scans.

As for the ARP (http://en.wikipedia.org/wiki/ARP_spoofing) the firewall can keep blocking it.

Can't you just black list those IPs and block all traffic from them? Eventually they will give up. It looks like they are just scanning for stuff.

TheSonicRetard

Thanks for the reply

On another board someone suggested either buying one that costs about $1000, or building one using this: http://www.pfsense.com/

I'm leaning towards the second option. All I'd need is a 100 mhz PC with 128 mb of ram. A question, though; he is wirelessly connected to his router. I was telling him it'd be much easier and quicker to just run a cable to the router (which is in another room) but assuming he doesn't want to budge, can I do this with a wireless connection? Like put in one wired NIC card on his server and the firewall box, and a wireless card on the firewall box?

NailbunnyPD

Blocking IP's is a worthless effort with how prevalent dynamic IPs are.

You could do that, but you would typically place the firewall between the modem and the router. If these devices are combined into a single device, then that will likely to be your only option. At that point, you are only protecting the server, not your entire network.

TheSonicRetard

NailbunnyPD wrote: »

Blocking IP's is a worthless effort with how prevalent dynamic IPs are.

Well someone on another site linked me to this: http://www.parkansky.com/china.htm

it's a method for blocking all connections from a specific country.

But yeah, I'm just gonna build the firewall. I got multiple boards suggesting it and it sounds like something I really should have set up in the first place. I figured the router alone was enough, but clearly I was wrong.

DigitalSyn

NailbunnyPD wrote: »

Blocking IP's is a worthless effort with how prevalent dynamic IPs are.

This is true, but it looks to me its just a bot network doing some scanning for open ports. Happens all the time, and a 24 hour block of the IP block usually quells the scans.

DigitalSyn

TheSonicRetard wrote: »

NailbunnyPD wrote: »

Blocking IP's is a worthless effort with how prevalent dynamic IPs are.

Well someone on another site linked me to this: http://www.parkansky.com/china.htm

it's a method for blocking all connections from a specific country.

But yeah, I'm just gonna build the firewall. I got multiple boards suggesting it and it sounds like something I really should have set up in the first place. I figured the router alone was enough, but clearly I was wrong.

I use monowall as my firewall/router

http://m0n0.ch/wall/

It's in line with pfsense, but I prefer the GUI layout. Both are equally adequate as a firewall though.

TheSonicRetard

DigitalSyn wrote: »

TheSonicRetard wrote: »

NailbunnyPD wrote: »

Blocking IP's is a worthless effort with how prevalent dynamic IPs are.

Well someone on another site linked me to this: http://www.parkansky.com/china.htm

it's a method for blocking all connections from a specific country.

But yeah, I'm just gonna build the firewall. I got multiple boards suggesting it and it sounds like something I really should have set up in the first place. I figured the router alone was enough, but clearly I was wrong.

I use monowall as my firewall/router

http://m0n0.ch/wall/

It's in line with pfsense, but I prefer the GUI layout. Both are equally adequate as a firewall though.

Does monowall have a liveCD edition? I was looking to use pfsense and run it off of a USB drive to save on a HDD

EDIT: Oh sweet it does, I might use this one instead because of the GUI. thanks!

DigitalSyn

TheSonicRetard wrote: »

DigitalSyn wrote: »

TheSonicRetard wrote: »

NailbunnyPD wrote: »

Blocking IP's is a worthless effort with how prevalent dynamic IPs are.

Well someone on another site linked me to this: http://www.parkansky.com/china.htm

it's a method for blocking all connections from a specific country.

But yeah, I'm just gonna build the firewall. I got multiple boards suggesting it and it sounds like something I really should have set up in the first place. I figured the router alone was enough, but clearly I was wrong.

I use monowall as my firewall/router

http://m0n0.ch/wall/

It's in line with pfsense, but I prefer the GUI layout. Both are equally adequate as a firewall though.

Does monowall have a liveCD edition? I was looking to use pfsense and run it off of a USB drive to save on a HDD

It does -http://m0n0.ch/wall/download.php?file=cdrom-1.32.iso

Basically you can have it save the config to the USB drive and use that for reboots.

Also PFsense is based off monowall, so they each have something a little different.

TheSonicRetard

Thanks guys, I really appreciate the help. I might be posting again later as I'm setting this up. I've never been very good with networking stuff haha.

SiliconStew

Port scans are harmless in of themselves. And anything connected to the internet will get constantly portscanned by all sorts of random botnet/worm/scriptkiddie activity. Since your program is already temp blocking the IPs once they are detected, I would turn off the notifications just for portscans (but keep blocking it). You'll just get bombarded with useless info otherwise.

Actually most of the stuff in that list is really, really common so I don't think getting notified about it is really helping any as long as it is being blocked. And trying to do IP lookups is pointless cause you'll wonder why half the internet is attacking you.

But I second the recommendation for a proper hardware firewall if the server is that critical.

Dibbit

NailbunnyPD wrote: »

Without knowing many details about your father's network, it would appear there is no (or insufficient) firewall protection on the internet connection. According to their website, Bullguard is software antivirus, and typically, software isn't sufficient firewall protection for a business.

Basically this.

The internet is a wild place, and these kind of scans and attacks are common.
There are botnets, worms, viruses and scripts constantly trying to connect to any IP address they can find.
The good news is that most of these attacks are untargeted and unlikely to actually exploit any vulnerability your dad's server might have. The bad news is that they only need to be lucky once, so eventually they might get in.

While a software firewall is a first solution, in my opinion it is inadequate, get a real hardware firewall.

I recommend anything by Cisco, but they have an extensive, hard to follow catalog.
Searching for "Cisco for small businesses" might get you started (Look for the "I want to....secure my business" tab.

Or give them a call, their number should be on the website.

While I'm sure you can figure it out, and correctly install any hardware firewall they deliver, it might give your dad some peace of mind that a professional was involved to give him the best option.

For the telephone / in person consulting, I don't know what (if anything) they will charge, or what they'll recommend, so it's hard for me to say what to be wary of. (Obviously, don't buy the hunderd-thousand dollar super server cluster option)

This page is their "Secure my small business page" that might help.

I already mentioned this, but Cisco solutions range from very expensive, to pretty cheap, and without knowing what your dad needs, I can't really suggest anything.

Also, there are many other companies that can do this, just make sure you have a something that is marketed towards businesses. routers + firewalls for residentials or home use are not robust enough. (I personally don't even think they're robust enough for home use, but opinions differ on that one)

Djeet

Routers do not route ARP requests, so that ARP activity is originating from your dad's own LAN. It's not necessarily indicative of an attack, as ARP discovery is a normal part of communicating over an IP network.

It's very unlikely anyone would be interested in his data (unless it's his banking or CC info, personal identity info, or a mountain of porn) and are more likely to be just interested in using his internet connection.

Putting up a real firewall between his LAN and the Internet and publishing only the services needed should reduce his LAN's attack surface (concentrating it on the external interface of the firewall which is where you want it) so he'll get fewer of these notifications, unless people are stealing his wifi and they are the source of the activity.

If he's getting these firewall notifications on the RDP host, which is behind a basic wifi router, I'd wonder how the RDP service is being published, or how traffic is being shaped to that host. Cause even a cheap wifi router should be able to publish a service on a host while still screening it from port scan-type activity.

bowen

That's what I was wondering too Djeet.

If it's anything like the few places I've seen before a real IT guy sets up business with them, it's probably plugged directly into the main server, and that server uses ICS or some other proxy bullshit forcing it to act as a router. I think Windows2000 server was notoriously used for this a lot back in the day.

krush

Djeet wrote: »

Routers do not route ARP requests, so that ARP activity is originating from your dad's own LAN. It's not necessarily indicative of an attack, as ARP discovery is a normal part of communicating over an IP network.

It's very unlikely anyone would be interested in his data (unless it's his banking or CC info, personal identity info, or a mountain of porn) and are more likely to be just interested in using his internet connection.

Putting up a real firewall between his LAN and the Internet and publishing only the services needed should reduce his LAN's attack surface (concentrating it on the external interface of the firewall which is where you want it) so he'll get fewer of these notifications, unless people are stealing his wifi and they are the source of the activity.

If he's getting these firewall notifications on the RDP host, which is behind a basic wifi router, I'd wonder how the RDP service is being published, or how traffic is being shaped to that host. Cause even a cheap wifi router should be able to publish a service on a host while still screening it from port scan-type activity.

Maybe get a used PIX 506e or something like that on Ebay. They're a bit under $100 right now.

punk

A PIX or ASA firewall can be extremely complex, even with a tool like SDM, CP or ASDM. Unless you already have experience with configuring Cisco firewalls, I wouldn't recommend it. For a small business environment, I'd recommend a native GUI-based firewall from Cisco Small Business (like Dibbit suggested), WatchGuard, SonicWall, etc. or sticking with a free product like m0n0wall or pfSense.

Pheezer

This is the thing I never get. If you're a small business and you're never ever gonna do business with China or Romania, why don't you black list the entire block of potential addresses they could possibly be using? Just ask Tube, it's super easy. Even an Australian can do it.

While you're at it, you can also block Russia and any country that used to be part of the USSR.

TheSonicRetard

Pheezer wrote: »

This is the thing I never get. If you're a small business and you're never ever gonna do business with China or Romania, why don't you black list the entire block of potential addresses they could possibly be using? Just ask Tube, it's super easy. Even an Australian can do it.

While you're at it, you can also block Russia and any country that used to be part of the USSR.

My dad does a lot of contracting for the City of Houston so he actually does do business with China and Russia and several other foreign countries. I actually posted a method for blocking entire countries, but he can't really do that.

Anywho, I built the firewall and things are looking good so far. Thanks guys.