Intrusion Prevention

We had just got the server running in its final configuration and had left it connected to the internet for testing when the first crude hacking attempts were made, almost certainly as a result of a port scanner running across the internet. When first seen, it was just an odd robot blindly password guessing, but after a couple of days escalated into multiple bandwidth hogging attacks, all of which in the short space of time were resisted by the Windows setup but real intelligence would sooner or later be applied and we would be pwned.

The initial installation had renamed the default accounts, set complex passwords and the connection to the internet had been arranged via port forwarding from the low cost ISP router provided. A DNS entry had been created using a name not associated with the charity for use in locating the server on the internet. It wasn't a name for public use so association wasn't necessary. 

The first measure was to switch off the router, effectively making the server only accessible from within the premises and immune to immediate further external attack. 

The RDP port on the server was changed to a five digit port and the router updated to reflect this port. 

An electronic power switch timer was attached to the router to only power the router during the hours when the charity needed to use the facility. This had two benefits. 

  1. The window of opportunity for anyone to access the site remotely was reduced.
  2. The power cycling of the router caused it to obtain a new IP address from the ISP making any 'old' addresses immediately useless to an attacker.

A free piece of software was modified to:

  1. Detect and report audit failures. This was useful both to identify hostile activity and to alert charity workers to colleagues having problems.
  2. Record repeat offenders IP addresses and block them
  3. Record successful IP addresses to create emergency access lists
  4. Block remote access when faced with detected and determined hostile activity 

Again, this isn't a commercial enterprise, reliant on internet traffic for it's income, the server is there to provide an internal service to aid run the charity in an efficient and compliant manner. It doesn't store personal details and ultimately could be restored within a few hours.