Had to pwn some h4xx0rs today.

Discussion in 'OT Technology' started by deusexaethera, Nov 13, 2009.

  1. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    I've been having trouble the past couple of days with one of my VM servers bogging down to the point that I've had to hard-reset it (and all the VMs on it, of course). I finally traced down the problem to the FTP server's resource usage; it was singlehandedly using so much of the VM server's resources that nothing else could get a thread in edgewise. This morning I was giving it a once-over and I discovered this:

    [​IMG]

    Well, I knew my router wasn't trying to repeatedly log in using a nonexistent account name, but clearly what it was doing was performing NAT translation on the incoming traffic so I couldn't see the source IP address. That explains why the autoban feature built into FileZilla Server had always caused all traffic to come to a halt within a few hours of turning it on -- it was just autobanning everything coming through the router. Thanks IT guys back at HQ, good planning.

    So, having discovered all the pieces of the problem, I turned off NAT translation on all traffic going to/from servers with public IP addresses, and turned on the autoban feature on FZS, and then I saw this:

    [​IMG]

    As it should be. :) That's one hackbot that won't be bothering me for a while.
     
  2. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    dude you shut down my bot wtf
     
  3. mobbarley

    mobbarley Active Member

    Joined:
    Mar 4, 2005
    Messages:
    9,256
    Likes Received:
    2
    Location:
    Sydney
    this is normal when you expose services to the internet. same with sql, messenger, everything else.
     
  4. BlazinBlazer Guy

    BlazinBlazer Guy Witness to The De-Evolution of Mankind.

    Joined:
    Jul 24, 2002
    Messages:
    18,783
    Likes Received:
    0
    Location:
    Lansing, MI USA
    :werd: You need some sort of BFD running whether on a firewall or a script on a server that uses something like netstat or wireshark to monitor incoming traffic on service ports.
     
  5. FormulaLS1

    FormulaLS1 Member

    Joined:
    Nov 14, 2006
    Messages:
    519
    Likes Received:
    0
    Why was it NATing incoming traffic like that lol....
     
  6. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    my first thought
     
  7. Vito_Corleone

    Vito_Corleone New Member

    Joined:
    Oct 12, 2003
    Messages:
    29,356
    Likes Received:
    0
    Location:
    Tampa, FL
    .

    makes no sense
     
  8. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    I have no idea why NAT was enabled on connections with public IP addresses. Obviously it was causing one problem, I dunno if it fixed any others, but nobody's complained about not being able to access the server since I shut NAT off. We hired an IT services company to install and manage our network back when I was still working on billable projects, but they got binned when my company realized they didn't know half what they claimed to know. This is one thing that I just got around to diagnosing because I finally had a reason to care.

    Sorry to spoil your fun Peyomp; the data isn't classified, so I wouldn't have to kill you if you saw what was on that server, but I'd have to at least waterboard you for a few hours until I felt better about the situation. :fawk:

    I'm probably going to feel stupid when I hear the answer, but what's a BFD?

    Also, does anyone know of a decent FOSS heartbeat monitor I can run so I can just look at a single screen to see if any machines have gone tits-up overnight?
     
  9. retorq

    retorq What up bitch??

    Joined:
    Dec 14, 2006
    Messages:
    6,061
    Likes Received:
    0
    Location:
    Mohave Desert
    What's Up Gold??
     
  10. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    I wanted something simple so I just created a batch script that pings a list of hosts (and their desired ping rate). Used blat to send out the results of the check to email addresses. It has since taken on more duties (a 3rd option to fire a script if the server is down - used to rekey VPN tunnels). I can post it if you want.

    Also use Spiceworks for monitoring as well - that would fit your bill quite nicely I would bet.
     
  11. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    There are lots of options for open platforms, but not sure how they perform in a Win environment?

    1) Splunk. Its free. Its great. You'd have a ton of fun with this. Check out the crap the Splunk Ninja pulls.

    2) SNMP - however crudely or sophisticatedly setup, can do this.

    3) Nagios. Really cool. http://www.nagios.org/
     
  12. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Thanks, I'll take a look at those.
     

Share This Page