I had contact with my first computer in the the early 80’s at the local Radio Shack store. The first computer I owned was a Timex Sinclair ZX81 built from a kit. With 8k of ROM, 1k of RAM and a 2MHz processor it was the first and last computer I’ve really understood. (By that I mean reading and mostly understanding the assembly code for the ROM.) Computers have gotten much more complex since then but my fascination with them remains.
In a previous post http://www.wiseoldcat.com/?p=176 I wrote about how to block dictionary attacks with iptables and an adaptive blacklist. I’ve moved the script to several different hosts and it worked on all of them but one. It’s an aging CentOS 5.5 system (I know, I know, it should be updated.) For some reason it wasn’t picking up on the active BLACKLIST entries. It would do its thing just fine when run from the bash prompt but not when run from crontab. Turns out it has to do with the environment.
As anyone knows who has ever administered a server that is exposed to the web the Internet is a hostile place. Our servers are continually bombarded with a never ending stream of attempts to guess user ids and passwords. The source is from countless botnets and is constantly changing. I’ve tried a number of approaches to counter these attacks and I think I have come up with a solution that seems to be working.
Recently our email servers have come under sustained brute force attacks by script kiddies doing dictionary attacks. These go on for 24 hours a day from a variety of sources including pools of IP addresses that alternate probes from a common dictionary. These were flooding the maillog with authentication errors at a rate in excess of one every 10 seconds or so.
Iptables in the Linux network stack has the ability to look inside of a packet and match a string. We’ll use that feature to pick out authentication errors on the outbound side in order to block them on the inbound side.
The latest wave of blackmail scam emails is becoming a genuine PITA. Script-kiddies are harvesting email addys, username and password combinations from the released lists from hacked sites like LinkedIn or MySpace or via dictionary attacks on mail servers and then sending out blackmail emails. They are kinda comical unless you happen to be really stupid and are in the habit of going to pornhub for 10 minutes at a time. There must be enough of those kind of lusers to make it profitable… Here are some sample emails.
Restoring a Windows Server Backup to a Different Server
Something that is not very well documented is the process of recovering a backup created on one server to a different one using Windows Server Backup. When you browse a disk that was part of a scheduled backup the contents are protected by the security settings on the file system. We recently had to recover some files that were on a 2 TB hard drive that was part of a scheduled backup on a Server 2008 R2 system that had been subsequently virtualized and was running under Server 2012 R2 Hyper-V. Attaching the disk to the VM was not an option and the WSB utility in Server 2012 wouldn’t recognize any backups on the hard drive.
Windows Server Backup does a reasonably good job of backing up a Microsoft Server. But like any backup it’s good to have some sort of notification about the success or failure of the backup. I first started to use it with SBS Server 2011 and as part of that bundle the server emails a daily report summarizing the health of the server. When we virtualized and moved a number of SBS servers over to Hyper-V hosts the backup chore moved to the host machine. The summaries still arrived but the backup status was no longer part of it. Besides, it would be nice to be able to see in the subject of the email the status of the backup and not have to open the email if all is good.
SeeSatVB is in Alpha stage and is a work in progress. It is to the stage where it is semi functional and I would appreciate some feedback. You can send comments to maildrop (at) aspenhouse.ca or leave a comment here.