This past week I’ve been busy battling 29 different IP addresses that have been attacking a server that I maintain.
In my effort to rid the world of this behaviour, I recorded the IP addresses, found out as much information as possible, and then blocked them.
Locations of the IP addresses:
12 – China
9 - United States
5 – Canada
1 – Netherlands
1 – Vietnam
1 – Japan
Compromised Operating System:
29 – Windows 2003
Compromised Web Server:
29 – IIS 6
Percentage without a Firewall:
Twelve of the IP addresses were associated with specific companies running their own dedicated server for email, ftp or a website. I decided to call or email each company to let them know their server was compromised. Most were grateful that someone took the time to notify them. By the end of the week, 8 of these servers were considerably more secure! One of the companies I called was a Canadian computer store. The person I talked to had mentioned their server was slow and bandwidth usage was high for about a week.
These servers were compromised through poor security practices. Many did not have a firewall due to co-location requirements, and others did not have a firewall due to email and ftp not working properly when it was enabled. Clearly they did not know how to properly configure a firewall to let DNS, SMTP, POP3 and Passive FTP in/out.
I find one of the biggest problems with Windows is that it is too easy to set up and administer at a basic level. Because of its ease of use, the technical knowledge of the person setting it up doesn’t need to exceed that of a typical desktop user. They fail to take into consideration items such as security, assuming the operating system takes care of it.
I recently moved iishacks.com to a dedicated server at a datacentre in Texas. I set it up without defining host headers – something I’ve always done because of a 1-to-1 site-to-IP ratio.
The site has been running on the server for a little over a week and my logs are roughly 17 times the size they were on the old server. Maybe iishacks.com got slashdotted? No. I’d have to say something really bad about Linux for that to happen.
When you provision a server from any datacentre they give you a block of IPs from their address pool – often IPs that have been used (and abused) in the past.
As it turns out, “spam bots” were attempting to login and/or post comments to various default WordPress, Moveable Type, vBulletin and phpBB pages on my IP address. The IP address had once belonged to another site which garnered attention from “spam bots.” Since my site was responding to any host header on the IP address (by default since there are no defined host header values in IIS), it was responding to all these requests. It takes up processor cycles, memory and most importantly bandwidth. It also messes up your logs too.
By adding Host Header values, even when you have a single website on an IP, you deny any malformed and spam requests to your domain (or previous domains pointing to that IP address), and your IP address itself. In the past, IIS6 using SSL and Host Headers would not get along – the SSL site had to be hosted on a different IP than the non-SSL site. Since Windows 2003 SP1 was released it is no longer a problem. So sites with SSL can specify host headers as well.
How to setup Host Headers (bindings) on IIS6
Open Internet Information Services (IIS) Manager.
Expand the left-hand menu under Server Name and “Web Sites.”
Right-click on the website you wish to add a Host Header to and select “Properties.”
Under the “Web Site” tab there will be a “Web Site Identification” header, click on “Advanced.”
Under “Multiple Identities for this web site” click “Add.”
Add “www. yoursite .com” where it says “Host Header Value.”
Add another value with the same port number and IP address without the “www.”
How to setup Host Headers (bindings) on IIS7
Open Internet Information Services (IIS) Manager.
Expand the left-hand menu under the Server Name and “Sites.”
Right-click on the website you wish to add a Host Header to and select “Bindings.”
There will be a default binding on Port 80 with the IP address specified. Highlight it and click “edit.” Add “www. yoursite .com” to the Host Name field.
Add another site binding without the “www” in the Host Name.
For SSL specify HTTPS under “type” and be sure to assign the correct certificate.
Below are the steps required to move a website hosted on IIS6 to IIS7 (Internet Information Services 6 to 7). IIS7 replaces the aging metabase with a more convenient applicationHost.config which stores the configuration in XML.
You must have .NET Framework 2.0 SP1 or 3.5 installed on the server.
Download the file and open it. Choose Setup Type: Typical. Be sure to use the x64 version if you have Windows 2003 x64. There is no entry in the Start Menu; you need to start the program through the command prompt. C:\Program Files\Microsoft Web Deploy\msdeploy followed by the command.
Installing MS Deploy on the Destination IIS7 Server
Same as above. Be sure to use the x64 version if you have Windows 2008 x64.
Create a Backup of the IIS7 configuration
It is important to create a backup of the IIS7 configuration before you start. You never know when you’ll make a mistake, and restoring IIS to the default configuration without a backup isn’t fun.
IIS7 comes with the appcmd.exe command line tool, which is new for IIS7, and simplifies configuration backups immensely. It is located in the %windir%\system32\inetsrv\ folder, which isn’t in the path variables, so you’ll need to navigate to that path with the command prompt first.
Click Start -> Run -> type “cmd” and press OK.
At the command prompt, navigate to the %windir%\system32\inetsrv\ folder. (type “cd \” and then “cd C:\Windows\system32\inetsrv” if windows is in the default path)
Once in the target directory, type: appcmd add backup “BackupPreMigrate”
Press Enter. All done.
To display a list of previous backups type: appcmd list backup
To restore a backup, type: appcmd restore backup “BackupPreMigrate”
Verify Dependencies on Source IIS6 Server
Below is a screenshot of all the variables supported by the migrate tool. All instructions below assume you are in the C:\Program Files\Microsoft Web Deploy\ directory at the command prompt.
At the command prompt (In the C:\Program Files\Microsoft Web Deploy\ directory), type:
The list that is returned is fairly comprehensive as to what components are installed and available for use on the particular website. It does not, however, distinguish which components are actually in use.
Installing Required Components on Destination IIS7 Server
From the dependency list you can determine which roles need to be installed on the destination IIS7 Server. Any dependencies listed in the XML file that is saved during the migration will need to be installed on the destination server or else the migration will not complete. You can remove dependencies beforehand or from within the XML file found in the backup directory after the sync command.
After the migration is complete, some elements will need to be re-configured. PHP, ASP.NET Ajax and others will need to be configured independently of the IIS migration to match the source server’s settings.
A few weeks ago someone had asked to purchase iishacks.com from me. When I declined, he became quite irate. Granted the price was good, but money really doesn’t do it for me. After all, Sysadmins aren’t in it for the money…
Immediately after I declined, I started getting hundreds of spam messages, then thousands, then millions. In the last few weeks I’ve gone from a couple spam messages to hundreds of thousands per day.
So the plan is to track where the messages are coming from, and then get him back. Hope he’s listening.
On a side note, I’m quite impressed WordPress and MySQL were able to handle the load. I mean, it is a Windows Server!
A few people have asked where to find the POP3 service in Windows 2008 for a simple mail server. The answer: nowhere.
While SMTP is alive and well in the Features section of the Windows 2008 Server Manager, POP3 has been removed from Windows 2008 altogether.
POP3 has been depreciated and will no longer be supplied as part of the Windows OS. Although POP3 was introduced with Windows Server 2003, Microsoft removed it after including it in just one generation of the OS. Organizations that use the email protocol will need to use an alternative such as Microsoft Exchange Server or Small Business Server (SBS).
POP3 isn’t a very “good” method to retrieving mail and I know very few organizations that still utilize it. IMAP and Exchange connectors are far more feature-rich and useful especially in today’s multiple-device world. I do run a POP3 mail server for World’s Cutest Animals because it is quick, has minimal resource usage and is perfect for a mail server that only has a few mailboxes.
Before we all scream foul and ask Microsoft to add POP3 back into Windows 2008 SPx, I suggest you check out Hannes Preishuber’s POP3 connector for Windows 2008 x86 and x64.