Help securing my server

firefoxx04 · Dec 9, 2013

I have a home backup server that stores a mirror copy of all my files from my desktop. I have my router setup to allow me to gain remote access to my server from out of the home.

Last night I noticed an unknown IP trying to log into my FTP server (filezilla) but it was trying the wrong username. I blocked the IP with filezilla and then blocked it on my router.

It just happened again this morning with a different IP and again with a third that appears to be within the states. the first two appear to be bots from china.

123.108.111.191
119.37.196.121

Tonight I plan on getting my "website name" changed via my free dns account and then keeping our modem off all night in hopes of getting a new IP.

My FTP server is setup to use port 990 (FTPS).

I am using Windows Server 2008 R2

I also have remote desktop available from outside my own network. (I use it all the time but it worries me sometimes)

Is there any more steps I should be taking to secure my Server? Any help and suggestions are greatly appreciated.

Thanks

USAFRet · Dec 9, 2013

If you have ports open through your router, yes, that is what will happen. Random scans, and if the bot (or human) sees something, it will try to connect.

A new IP address won't help. They just scan all within the range.

nuix0923 · Dec 9, 2013

USAFRet :

he is correct. technology created for our convenience will always have a hole. lol

firefoxx04 · Dec 9, 2013

I suppose that is the way of things. I cannot seem to find windows software that will help filter these things out.

Filezilla is set to ban users after 10 log in tries but sense the bot never actually gets to log in, it does not get blocked. They keep trying port 21 when port 990 is used to log in.

USAFRet · Dec 9, 2013

Port 21 is the default FTP port.
You can't filter them out, only block when they try to access. If you can get to the server from outside, anyone can. The only thing actually stopping them is username/password.

If you want/need access from outside, and real security, you need a commercial grade router, with actual software to block such attempts.

firefoxx04 · Dec 9, 2013

USAFRet :

I do have a ASUS router running tomato 1.28. I have blocked the two IP that tried to get at me and it seems to keep them at bay. Im not sure if there is a script or program that Tomato can run that will automate that process.

changing the port from 21 to something else seems silly if I am vulnerable to a port scan.

USAFRet · Dec 9, 2013

firefoxx04 :

A port scan is just that. Try every available until something open is found. Blocking individual IP addresses is probably not the answer either. Those scans could be coming from any zombied machine on the net.

Lee-m · Dec 9, 2013

You wont ever be able to stop all the random incoming connections, that's just the way it is now. Just get used to the idea of protecting your self against these random attacks and scans.
You just need to make sure your services are secure. Its the same for everyone, home servers and big business alike.

so:
a) use very good password
b) it might be possible to have the services answer only to a known IP address or MAC address, some times your router can do this too.
c) keep software and your windows server up to date to protect your self against exploits.
d) keep an eye out for security alerts that might effect you.
e) don't worry so much

bill001g · Dec 9, 2013

It depends the purpose of the FTP server. If at all possible a better design is to block all IP and then whitelist any that are allowed to access the server. It depends if you can predict where your valid access will occur from.

Not sure if tomato is strong enough to do it automatically. The way it is done with commercial equipment is a small session is opened with the firewall and the user is authenticated. After this the firewall dynamically adds rules with whatever permissions that user has restricted to his current IP. When the session with the firewall closed all the rules are removed. I know they was discussion of this on the DD-WRT forums but I don't know if anything was ever implemented to allow dynamic firewall rules.

It might be possible to use IDP code that can detect a scan and after that block all traffic. Problem is IDP tend to be susceptible to false alerts and block things they should not. And if a hacker knows you are running a IDP they can exploit it and use it as a denial of service attack by tricking it into blocking things it should not.

firefoxx04 · Dec 9, 2013

Lee-m :

bill001g :

Im not seeing anything like that in my router settings but thanks for the great info.

Lee-m :

Yes I suppose to. I would limit it to accept only IP that are known but I find my self accessing things from many different places so that would get old fast.

I guess I was taken off guard because this all happened recently. It was not always like this. I guess someone found me and put me in their little black book.

Search

Help securing my server

firefoxx04

Distinguished

USAFRet

USAFRet

Titan

nuix0923

Honorable

firefoxx04

Distinguished

USAFRet

Titan

firefoxx04

Distinguished

USAFRet

Titan

Lee-m

Distinguished

bill001g

Titan

firefoxx04

Distinguished

TRENDING THREADS

Latest posts

Share this page