Understanding how your network is at risk – Part 2

I have a single laptop on a commercial ISP right now. I decided to run an ftp server and open it to the world. Some of you Sys Admins might be saying right now that running an FTP server is nothing, your company most likely runs one or several.

Problem: I watched the FTP server logs in real-time. Within 1 minute I had two attempts on the FTP server. Within 15 minutes I had 13 attempts on my ftp server. Each attacking IP made at least 3 attempts on the FTP Server.

Attacking an FTP Server with a word list.

Attackers are able to do this by running a script that searches every single routable IP address within the world. A script could be optimized to scan the entire world for hosts within less than a day or even faster. Once an attacker receives a response from the FTP server they can attack it with a brute force method. The scanning script can be designed to attack the FTP server using dictionary words for the user name and password. This is scary, and it happened within one minute of opening an FTP server to the world.

The same thing is true when you run a Web Server, an  SSH Server, an Remote Desktop Server, and more. This simple script example scans IPs and reports their open and closed ports for pre-defined ports:

#!/usr/bin/python

import socket

import sys

if ( len(sys.argv) != 2 ):

print "Usage: " + sys.argv[0] + " you must enter IP or FQDN as argument"

sys.exit(1)

remote_host = sys.argv[1]

for remote_port in [21,22,23,80,139,139,389,443,445,3128,3306,3389]:

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sock.settimeout(20)

try:

sock.connect((remote_host, remote_port))

except Exception,e:

print "%d closed " % remote_port

else: print "%d open" % remote_port

sock.close()

Now if such a simple script is available I wonder how far I can take it to do damage….

Solution: Monitor your FTP, SSH, and VPN logs. If an IP is repeatedly failing to authenticate, block it. Run a script like Denyhosts or Fail2Ban.

Denyhosts monitors your SSH, FTP, HTTP, and any other authentication log. It detects IPs that have failed to authenticate within those logs and blocks it permanently. It also works with a worldwide database and protects you from bad IPs that have attacked other people. Don’t be surprised if your Denyhosts log gets bigger than 1GB within a month like mine did. I have an in-depth tutorial on my Tech Page.

Also have you considered not running the FTP or SSH server? Do you really need it, if so then can you implement a white list with a default deny all except who is on the white list? I recommend this in combination with Denyhosts.

Problem: Free WiFi is awesome, everyone should provide open WiFi everywhere. Your Cell phone would never need a tower and you would always have access to the web where ever you go. On the other hand when you have access to something so does someone else. You can’t trust anyone in cyber space.

WireShark

When you are on an open access point someone can sniff you packets and capture them. It is even possible to execute a man in the middle attack to steal passwords and banking information. Your emails can be read and files stolen even when using SSL, because a man in the middle sees all.

Solution: So how can you stay safe in this scary world? Easy, Tunneling. VPN to your corporate network or even use Dynamic Port forwarding with SSH. Connecting to a VPN server will create a secure encrypted tunnel that will connect you directly to the LAN within your Office or Home. It will utilize both the internet connection on the other end to retrieve your Web Pages by passing the open WiFi. This is the most secure easiest solution. I have setup an SSH server with my home to use when ever I am on the road in an Air Port, Hotel, or Star Bucks.  To find out how to create a secure SSH server using Certificates to Authenticate take a look at my Tech Page.

Next I will talk about how viruses propagate via removable storage and what Sys Admins can do to prevent it.