Re: Multiple attempts daily on same ports.

Yes, and should you suffer a data breach the fine is 4% of annual turnover or a fine of up to €20 million, whichever is greater.

Re: Multiple attempts daily on same ports.

Are you joking or is that really true? I'm working at becoming compliant but hell, so don't see how someone a company just starting up could meet the deadline. You should see the stuff that's required. I can copy some of it and post it here if anyone's interested. It's insane

Re: Multiple attempts daily on same ports.

You're not saving any data currently are you ? No need to worry just yet. You need to be compliant by the time you are though.

Re: Multiple attempts daily on same ports.

Oh, I get it! So you don't have to be compliant until you're actually doing the business. That way, when you start up, you can spend the time making sure you're compliant and everything before you start, so we don't have another incident like the big credit bureau incident.

I figure we'll become compliant anyways. I mean, what's wrong with be a little more safe or taking proper measures to really tighten down the equipment? No harm in that I guess.

Using Windows 10 Enterprise E3 (CSP). The cloud thing is kinda cool, but if it was Linux, it'd be setup by now! Holy cow, does Microsoft have to make the smallest things overly complicated!

My wife, being a Windows user, seems a bit more comfortable with it than I do and knows her way around a bit more. You figure setting up a conference call should be as easy as sending an e-mail, right? Oh no. You gotta go through all these bells and whistles and then pray to whoever that it actually works. We log into our PCs with our corporate names, just like we would if we were connected to a domain. That connects us to our Microsoft on-line account.

We got control over a lot of stuff. For example, I can turn telemetry off with a click of a button for the entire organization, or I can prevent Skype users from talking to people outside of the organization. I can deploy software to their machines, or remove it, etc. That's kinda nice, but I can do the same stuff on my domain (which runs Linux) just by SSHing in and running a few commands.

Re: Multiple attempts daily on same ports.

I said that, because apparently, some folks in Europe, don't give a dang if revolutionary war II occurs, because of some folks in Europe forcing foreign law on the U.S.! Remember the late-1770s when studying history? A repeat of history could occur again!

Re: Multiple attempts daily on same ports.

I think it's a good thing. I've had the bank call me one too many times saying a website was compromised and my credit card info was stolen. I use PayPal mainly now.

They're not really doing anything different than our President is doing with the import / export laws. He raises the import taxes and says if you want to do business with us, either pay more money or don't do business.

Europe isn't forcing us do any business with them, they're just saying if we do, we have to make sure their citizens data is properly protected. I think it's good in a sense. To us, if we get fined something like 100,000$, that's a lot of money, and would ruin us. But with a company like Microsoft, for instance, that's a little slap on the wrist. 4% isn't though.

I remember when Equifax was hacked. My information was one of the ones that the hackers got. I received free credit monitoring for life, but they made a few mistakes after being hacked. And I think Yahoo took over a year to go public that they where hacked? One of those big companies did. If we all followed some stricter guidelines when it came to stuff like setting up servers that stored credit card numbers, social security numbers, etc, I think the world might be a little bit better of a place.

Re: Multiple attempts daily on same ports.

No, you don't have to block them, they will block you. Goodbye business. At least it's probably still better than china's policy...

And yes I get my fair share of hack attempts too. Even machines in my public ip subnet I don't have turned on for many days, weeks, months - as soon as I turn them back on, I get attacks.

Re: Multiple attempts daily on same ports.

Yeah.

We upgraded cPanel, and all of a sudden, the "attack" stopped. Just like that. But I don't think it was related the update or anything. I think the people just either gave up or ran out of IP addresses to use. I've never had one attack last this long, but every day, my servers are just like all of yours, and are under constant hacking attempts...

I like the ones where they're trying to brute force my SSH server. They're trying usernames and passwords on port 22, which is closed (my SSH server is on a much higher port), and keyboard authentication is disabled. Can only get in with a private key. But they'll run their attack for a good while, every time they get blocked, it'll come from a new IP address.

I wonder how they do that. They using some sort of proxy or do you think they just have control over many different machines around the world?

Re: Multiple attempts daily on same ports.

Yes, they appear to have that many computers around the world, don't let yours be another.

Re: Multiple attempts daily on same ports.

maybe you got Hillary's old server ip address ?

Re: Multiple attempts daily on same ports.

+1 f2b

Another option, highly recommended, download pfsense router and turn on “suricata” an IDS/ips. It will block those connection attempts at the ip level with rules you can turn on and off. It's a really sweet plugin for pfsense.

Re: Multiple attempts daily on same ports.

This is tangentially related to i'll just put it here.

Re: Multiple attempts daily on same ports.

https://en.wikipedia.org/wiki/Carna_botnet

Re: Multiple attempts daily on same ports.

My server is setup to automatically block attacking IP addresses. It also downloads, on a regular basis, a list of known bad IP addresses (and uploads to certain lists). It's also configured (although, I'm sure someone will make a valid and strong about against this) to pull in the abuse address from the whois database and automatically report the IP address.

The problem is it isn't one IP address. It's very many IP addresses. As soon as one got blocked, a new one would start. Now I have most of them blocked I do believe, but I'm occasionally getting an email from my server saying it blocked them again (maybe once every 3 or 4 days).

Sorry the delay in getting back to everyone. Was very busy, working very hard, configuring various things on my side for our new business. Almost there!

Re: Multiple attempts daily on same ports.

Do you block ICMP ping requests? I allow them through my firewall. I could whitelist them just for my site I various domains I guess, but I like having it open.

Granted, I guess someone could use them to against me as a DDoS attack.

Re: Multiple attempts daily on same ports.

eccerr0r, the way the article reads, it almost seems like a reverse DNS PTR record is a bad thing. Generally, without one, mail will tend to fail. Lot of mail servers use that to check if it's authentic. Right now, I can only have one and haven't properly finished setting up the DNS server on the new business domains, mainly DMARC.

I've attempted, but when we switched from Office 365 ProPlus to Office 365 Enterprise E3 (with the PSTN license), I think it broke Microsoft's portal and I have to delete the domains and readd them.

I like how I can hit a button and they'll call me in 5 minutes, 24x7. And even though at night, I get people from Eastern countries, so far, they seem to speak better English than me! They're knowledgeable as well.

Overall, this whole cloud service thing is a nice concept, but just like with any Microsoft product, it's bugger than shit.

Gonna try to see if I can setup an open-source (or free) Linux domain controller with that actively supports Microsoft Exchange and Active Directory, so it can sync with their shit, rather than having to log into their domain everything I want to use the PC.

Re: Multiple attempts daily on same ports.

Looks like the attack might have been from w00tw00t.at.blackhats.romanian.anti-sec.

Now that the attack stopped and I got a chance to setup my mail clients, I see a final message from modesc, showing them trying to access various url's.

So they where more than likely attempting to use multiple PCs to hack into my server. I noticed eventually, the ports started to change ever so slightly. They'd still try 7001, etc, but then in the end, they'd try a different port.

My hypothesis is they had a multiple list of exploits and with each attempt, they'd try them, and with port 8080 being used by so many programs, perhaps there where more exploits for port 8080, than there was for 7001.

If it where, which I wouldn't do, obviously, I'd use the first IP to see how many times I could connect before being banned. Then configure my auditing program to do a port scan. Try x amount of ports, where x is the number of times I could connect before being banned, switch IPs, then try another. I'd first build a list of ports. Then I'd try walking the zone.

If there was a webserver, I'd probably explore that a bit. But I definitely wouldn't spend weeks trying to crack a closed port, even if all I had to do was hit a button and stay back. Makes me think this person wasn't so much a hacker as he was a script kiddie.

Re: Multiple attempts daily on same ports.

Has anyone watched this video yet?

https://youtu.be/U3QXMMV-Srs

I was in the process of locking down our printer, but noticed it only supports RSA2 (2048 bit) and DSA (1024 bit). I contacted Brother because everytime I tried uploading my ecdsa-sha2-nistp521 private key, it'd say the key already existed. I reached a call center and what a joke that was! Holy cow! Guy kept on thinking it was a permission issue on the server that was running the SSH / SFTP server. I kept on saying we cannot setup the profile until the keys imported, so the printer doesn't know about any folders yet. He asked to speak to the IT department. I told him I was the IT department.

Finally, he tells me to contact my ISP! I said what? You want me to contact my ISP to have them fix your printer? This is ridiculous! They're just gonna tell me to go to hell and call you guys!

So I wrote to them, expecting a stupid sorry for the inconvenience, try again or something. They had a level 5 tech call me! And I told him what I wanted, and I also said I found some bugs in their firmware on the printer (the web interface, mainly), plus how it wasn't what I considered secure, and how their Linux driver scripts had some issues but I fixed them, and how they should consider setting up some Linux repo's so our package managers can automatically update the various packages.

He said he wants me to write it all in an email to him (he sent me his address) and include my changed script, with the documentation on what I changed, and he'll send everything over to the programming department.

I said if they don't implement it, perhaps I could sign an NDA and just get the part of the firmware that deals with the SSH client / server that's built into the printer, and modify it myself, send it back, and have them custom build me an image. He said mention that too and we'll go from there.