Mike van der Meulen's Blog

Well, at least someone is trying to hack this site. First off, let me describe the "infrastructure" of this site. This site (and a few others) are running on an ultra-cheap VPS somewhere in Colorado, a Windows Server 2008 R2 with 2 cores and 2 GB memory. It's mainly used for testing and development purposes. With web applications, it pays to test them on an underpowered server as bottlenecks and problems become readily visible. So this server is my minimalist test-bed. It runs next to nothing other than IIS with a few web sites (including this site).

The only other application to speak of is the FTP Server. When I set up the server I decided to disable Microsoft's FTP server and installed Filezilla Server instead. The intention was to enable the FTP server only when needed and otherwise disable it. Of course, that's just a theory, I kept forgetting to disable it after I used it.

A few years ago when I was still hosting some sites on shared UNIX servers, one of my sites was hacked via FTP. It was a simple, brute force hack, generating random logins until it found one, just to add a bit of javascript to the home page. After that, every visitor to that site got the home page (as expected). In addition it popped up a second window, alerting the visitor that his/her computer is infected and needed to buy anti-virus software (conveniently offered in the popup window).

Of course, that was easily fixed and the whole thing quickly forgotten. On a side-note, I do wish there was some "authority" that could prosecute such hacking, as I managed to get sufficient information as to who did it.

Fast forward to todays problem. Again, some script kiddie was trying to log into my FTP server. Of course, this being a VPS, there is no one other than me "minding the store". But I immediately noticed the log entries, trying some common logon names with randomly generated passwords. It did however remind me of the fact that I'm not always monitoring this server and that there was a giant security hole. FTP is the lesser problem. The real problem is that the site is accessed by the administrator (me!) using Remote Desktop. Any script kiddie could generate random logins and get control of the server. Not good.

Of course, I figured this is such an unimportant server that I really didn't have to worry about it as there is no content worth "stealing", no passwords, not credit card info. I forgot that the server itself is an asset that is worth hijacking for other nefarious purposes (like spamming others).

So I set out to make the server a bit more secure - "on the cheap" of course. No VPN, no extra software, just using the tools at hand. (I apologize to all IT server admins, for whom this surely is old news, but I documented the steps here for others who have to take care of a server because there is no full-time server admin).

First off, the FileZilla Server has a simple mechanism to prevent such scripted attacks. By accessing the server settings, you can implement the Autoban option. (I first didn't understand it as I was thinking of the German Autobahn ( = highway), but that confusion lasted just a few seconds).

Once enabled, with these settings, a script could only try 10 login/password combinations per hour. This really makes it impossible to guess a login in this century (or even millennium).

Now I still have to worry about Remote Desktop logins, which can cause way more harm. Fortunately, Windows Server 2008 R2 has a very similar lockout (or autoban) mechanism hidden in the Local Group Policies. These can be modified using the Local Group Policy Editor, started by running gpedit.msc:

To change the account lockout settings, navigate to Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

In this case I allow 5 invalid logins, then the account is locked for 10 minutes. Again, it's not feasible to guess a login in a reasonable time.

Then I found one more setting that is quite helpful. Whenever I log in, it displays whether there were login attempts since my last login:

To enable this, again use the Local Group Policy Editor and navigate to Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options and enable "Display information about previous logons during user logon".

With the given tools and on a "shoe-string budget", this is probably the best you can do, yet it should be fairly safe as the server is not readily hackable.