Michael Log Log

From Open Source Ecology
Jump to: navigation, search

Based on Michael Log

Fri Aug 30, 2019

Hey Marcin,

I just wanted to let you know that I just removed vsftpd from our server and added ipv6 firewall rules to end ongoing brute-force attacks against our server.

The forwarded email below is a decrypted alert sent from OSSEC on hetzner2. One of the first things I did after gaining ssh access to hetzner2 back in 2017 (after setting up backups) was to install OSSEC on our server. OSSEC (Open Source SECurity) is a HIDS (Host-Based Intrusion Detection System) and FIM (File Integrity Monitor). It's the Open-Source equivalent of Tripwire--an enterprise tool that detects changes to your server and alerts you about them.



As you've pointed out in the past, our OSSEC server has been flooding us with emails (from noreply@opensourceecology.org) for a long time. These alerts are real; any server on the Internet is under constant attack. But over the past month, I finally started adding "ignore" rules to stop the more common attacks from triggering email alerts. After doing this, I noticed an interesting alert in the forwarded email below: we had a bruteforce attack against an ftp server.

First of all, I found no evidence that our server was compromised from these ftp attacks (which occurred nearly every-other-day in August alone). OSSEC has active-response rules configured to automatically (temporarily) ban clients that attack our server after it detects multiple failed login attempts from a given IP address. I also checked the logs from August and confirmed that these brute forcers never guessed a correct username (let alone the correct password) before OSSEC banned their IP Addresses.

In any case, FTP (File Transfer Protocol) is an insecure protocol, and the alternative that we should be using is SCP (Secure CoPy). SCP works over ssh. Moreover, our ssh server is configured to only accept logins via private key files--a much more secure alternative to passwords. I went ahead and uninstalled the ftp server on hetzner2. I was unaware that it was installed & running in the first-place..

Another issue was that the firewall I setup on hetnzer2 was only ever configured for ipv4. As such, no attacks could take place on servers (like the ftp server that I was unaware of) that are not explicitly whitelisted by our firewall over ipv4. This attack took place over ipv6--where we had no such whitelist.



I also went ahead and added firewall rules for traffic on ipv6.

I continue to monitor our ossec alert emails, and I'll continue to filter them so that they only alert on important issues worth investigating. I highly recommend that you check them every now and then as well. Because these OSSEC alert emails often include the contents of logs or configuration files (which may contain passwords), they are encrypted.

Cheers, Michael Altfield Senior System Administrator PGP Fingerprint: 8A4B 0AF8 162F 3B6A 79B7 70D2 AA3E DF71 60E2 D97B