Defending Against Web Server Denial of Service Attacks(Post attack)

Sample of DoS attack traffic (only 7 lines of literally 4 million log lines in the past few days)
A,B,120.152 - - [21/Jul/2013:02:53:42 +0000] "POST /?CtrlFunc_DDDDDEEEEEEEFFFFFFFGGGGGGGHHHH HTTP/1.1" 404 9219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
C.D.3.168 - - [21/Jul/2013:02:53:43 +0000] "POST /?CtrlFunc_yyyzzzzzzzzzz00000000001111111 HTTP/1.1" 404 9213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
E.F.67.90 - - [21/Jul/2013:02:53:44 +0000] "POST /?CtrlFunc_FFFGGGGGGGGGGGGGGGGGGGGGGHHHHH HTTP/1.1" 404 9209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
G.H.76.206 - - [21/Jul/2013:02:53:45 +0000] "POST /?CtrlFunc_iOeOOkzUEV8cUMTiqhZZCwwQBvH9Ot HTTP/1.0" 404 9136 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
I.J.21.174 - - [21/Jul/2013:02:53:45 +0000] "POST / HTTP/1.1" 200 34778 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
K.L.57.51 - - [21/Jul/2013:02:53:45 +0000] "POST / HTTP/1.1" 200 34796 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
M.N.29.143 - - [21/Jul/2013:02:53:46 +0000] "POST /?CtrlFunc_ooppppppppppqqqqqqqqqqrrrrrrrr HTTP/1.1" 404 9213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"



This is a type of DDOS attack targeting to particular domain hosted in the server . Here it seems the attacker using POST requests to consume all the bandwidth of the account. Normally a POST request means something uploaded to the site or entering some data to the site,but here the attacker some how using it as method to consume all bandwidth. Also as the requests are not targetting any specific link or files.

Solution:

Add below mod security rule to mod sec config file of the domain. If you are using cPanel server, add below mod_sec rule to the following file.

============================
1) Open file /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAIN/modsec.conf

2) Add the below rule in the file

SecRule REQUEST_HEADERS:User-Agent "^Mozilla/4.0 \(compatible; MSIE 6.0; Windows NT 5.1; SV1\)$" "log,drop,phase:1,msg:'Brute Force Attack Dropped'"

3) Please make sure run the following script after making the changes.

/scripts/ensure_vhost_includes --user=username

 This script will uncomment the following line in apache configuration. It will customise the virtual host to use the particular include file and will restart apache.

Include “/usr/local/apache/conf/userdata/std/2/username/domain.com/*.conf”


Thats all!!!

Windows Server Hardening

BASIC LEVEL HARDENING

 

Steps to hardening Windows Server 2003

Here I am listing some easy steps involved in Windows server hardening.

Step 1: Strong password

The first line of defense to unauthorized access is Strong password. The Microsoft Windows Server 2003 family has a new feature that checks the complexity of the password for the Administrator account during setup of the operating system. Select minimum 15 alphanumeric character for password. The attackers cannot crack the stronger password that much easily.

You can change the administrator password by following the simple steps shown below.

1. Click Start, and then click Run.
2. In the Open box, type "mmc" (without the quotation marks), and then click OK to start MMC.
3. Start the Local Users and Groups snap-in.
4. Under Console Root, expand "Local Users and Groups", and then click Users.
5. In the right pane, right-click Administrator, and then click Set Password.
6. Click Proceed in the message box that appears.
7. Type and confirm the new password in the appropriate boxes, and then click OK.

Step 2: Software restriction policies through Group Policy

You can restrict the execution of untrusted code by restricting it through Group policy. The policy can apply to all of the computers or to a particular user.

Software restriction policy can perfrom following tasks.

* Control which program can run in the server.
* Can run only specif files in the server.

To start Software restriction policies.

*  Click Start >> Programs >>  Administrative Tools, and then click Local Security Policy.
*  In the console tree, expand Security Settings, and then expand Software Restriction Policies.

Step 3: Enable Windows Firewall in the server

Windows firewall is a line of defense which monitor and restrict the information that travels between the computer and the network. When the system receives an unsolicited request, windows firewall blocks the connection.

You can turn on Windows firewall from Start >> control panel >> Windows firewall.

Also you can use IPSEC to block or filter connections to the server.

Step 4: Strengthen TCP/IP stack

Denial of service (DoS) attacks are network attacks that are difficult to defend. In order to prevent Deniel of service attack, always keep the server updated with security patches. Also tune the TCP/IP stack to prevent against DoS attack.

The following TCP/IP-related values can be used to harden the TCP/IP stack on the server. The vales mentioned below should be created under the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

All values are in hexadecimal.

Key 1:
Value name: SynAttackProtect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0,1
Default: 0

This value causes retransmission of the the SYN-ACKS. If you set the value as "0" means SYN attack protection. Set to "1" for better protection against SYN attacks.

Key 2:
Value name: EnableDeadGWDetect
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)

When the EnableDeadGWDetect is "True", TCP may ask the Internet Protocol (IP) to change to a backup gateway. Backup gateways are defined in the Advanced section of the TCP/IP configuration dialog box in the Network tool in Control Panel.

Microsoft recommends that you set the EnableDeadGWDetect value to 0. If you do not set this value to 0, an attack may force the server to switch gateways and cause it to switch to an unintended gateway.

Key3:
Value name: EnablePMTUDiscovery
Key: Tcpip\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)

Microsoft recommends that you set EnablePMTUDiscovery to 0.

Key4:
Value name: KeepAliveTime
Key: Tcpip\Parameters
Value Type: REG_DWORD-Time in milliseconds
Valid Range: 1-0xFFFFFFFF
Default: 7,200,000 (two hours)

This value controls how frequently TCP tries to verify that an idle connection is still intact by sending a keep-alive packet. The recommended value setting is 300,000 (5 minutes).

Key5:
Value name: NoNameReleaseOnDemand
Key: Netbt\Parameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 0 (False)

Microsoft recommends that you set the NoNameReleaseOnDemand value to 1.

Step 5: Disable or delete unnecessary accounts, ports and services

During the installation, three local user accounts namely Administrator, Guest and Help-Assistant, are created automatically. The adminstator user is having the full privilege. So this account cannot be deleted from the server. For increasing the server security, you can disable the account and at the same time provide the administrative privilege to another user. This make it much harder for the hacker to identify which user is having admin privilege. Also disable the other two accounts Guest and Help-Assistant.

Open ports are high-risk area. There are 65,535 ports available. The ports are divided into three ranges.

Well-known ports (0-1023)
Registered ports (1024-49151)
Dynamic/private ports (49152-65535)

The known ports are required for OS function. The registered ports are only for services. The rest are wild west. You can block the access to a particular ports using Windows firewall or IPSEC rules.

The most effective way of securing the server is not to install the applications that are not relevant to its function.

Step 6: Secure Internet Information Services

* Do not provide permission for IUSER to any of the files or directory out side the web application directory. If any of the application run into an error, use FileMon utility available from http://sysinternals.net to check the file permission.

* Set the NTFS permission as
 IUSER = Read and execute only
 WP User = Read and execute only
 System and administrator = Full

* Enable logging in IIS. This can be done from IIS manager >> web sites >> property >> Enable logging. The logs will be generated in the directory "C:\WINDOWS\system32\LogFiles".

* Enable Windows auditing on the machine. This will help to backtrack any attacker's activity. The default location for the audit log is c:\winnt\system32\config\secevent.log.

* Finally make sure that windows updates are regularly run and necessary patches are deployed.

Step 7: Secure FTP server

* Disable anonymous FTP. Anonymous access is enabled by default when you first install FTP services in Windows 2003. Anonymous access allows any user to gain FTP access without the need of a user account. Anonymous access can be disabled from  IIS manager >> FTP sites >> property >> Security Accounts >> Uncheck "Allow Anonymous Connections".

* Enable Logging. This can be done from IIS manager >> FTP sites >> property >> Enable Logging. You will have an accurate record of which IP addresses and users accessed your site.

* Restrict Access by IP address. You can restrict the FTP access to particular IP address through Directory security in FTP site property.

WINDOWS PHASE2 HARDENING

==> Protecting windows server against dos attack

Refer: http://www.informit.com/articles/article.aspx?p=371702

==> If you are using windows server2008, you can harden the server using below doc.

Refer: http://blog.tevora.com/enterprise-applications/10-steps-to-harden-windows-server-2008-2/

==> sql server hardening

http://securityblog.gr/1936/hardening-a-sql-server/
http://www.greensql.com/content/sql-server-security-best-practices?goback=.gde_3779596_member_97204230#!

==> IIS hardening

http://www.md3v.com/hardening-a-microsoft-iis-web-server

==> PHP hardening

http://www.madirish.net/199

http://blog.up-link.ro/php-security-tips-securing-php-by-hardening-php-configuration/