Heal Your Church WebSite


Teaching, rebuking, correcting & training in righteous web design.

‘Egermancy’ – the Russians are Coming!

One of my favorite movies of all time, and one which reveals I’ve been around for a long time, is the 1966 classic “The Russians Are Coming, the Russians Are Coming” with Carl Reiner, Jonathan Winters, and a few of the other World’s funniest people. Written near the apex of the Cold War, the movie tells the story of a U.S.S.R. submarine that runs aground near some bucolic beach somewhere off the coast of Massachusetts or Maine. Hilarity ensues as communists foraging for communications equipment run head-long into the local town folk.

One of my favorite scenes occurs just before the shore party departs from the stranded sub. Lieutenant Rozanov, played by Alan Arkin, is trying to teach the team just enough English to get the townspeople off the street without raising suspicion; as if their thick Slavic accents wouldn’t give it away as they parroted “Emergency, emergency, everyone to get from street.” What cracked me up as a 6-year-old, and even today, is one bit of ‘schtick‘ where Rozanov vainly attempts to get one crew member to stop pronouncing the warning as:

EGERMANCY!”

So why bring all this up on my techblog? Because it looks as if the Russians are indeed coming … after our server. So are the ‘ChiComs,’ the Koreans, and even an Austrailian!

What do I mean by this? Every night, our Linux/Apache-based server runs several scans on the usage logs, emailing me when suspicious activities occur; such as failed logins to the server. Last night, Logwatch reported:

… [snip] …
admin/password from 210.127.243.85: 16 Time(s)
admin/password from 210.205.6.157: 14 Time(s)
admin/password from 217.26.14.33: 12 Time(s)
guest/password from 203.30.170.12: 6 Time(s)
guest/password from 210.123.181.195: 4 Time(s)
guest/password from 210.127.243.85: 8 Time(s)
guest/password from 210.205.6.157: 7 Time(s)
guest/password from 210.52.213.6: 2 Time(s)
guest/password from 217.26.14.33: 6 Time(s)
root/password from 203.30.170.12: 18 Time(s)
root/password from 210.123.181.195: 12 Time(s)
root/password from 210.127.243.85: 24 Time(s)
… [snip] …

Obviously, someone is trying to gain access to the server with what is known as a “brute force” or “dictionary” attack. Think of it like a thief with a ring of skeleton keys, trying each one on my front door, then my side door, then my back door until they find one that fits. Only in my case the criminal tried each door several times, employing a different diguise (nationality) for each set of attacks.

Putting up Obstructions

This is why you should NEVER use an operating system’s default accounts; in fact, I suggest deleting accounts such as “guest” and “test” about 1 minute after you install your server software.

Moreover, you should NEVER, EVER, EVER allow console access (SSH or Telnet) to your system via your root account. Instead, set up an account that uses a non-sensical user name – that is a username that can’t be found in the Merriam-Webster’s Dictionary. After you armor this user/account with an even more random/non-sensical password, make it the only account that can access the super user account (SU) via an even more random and non-sensical password.

It may not make your server bullet-proof, but it is certainly is more secure against a dictionary attack than allowing direct shell access to your system with the username “root” and a password of “donuts.”

Barring the Door

Another thing you can do on your server is to deny any future attacks from known neer-do-wells by blocking any access from their IP address. This can be done in the Linux/Apache environment by modifying the file /etc/rc.d/rc.firewall to include the following directive:

/sbin/iptables -I INPUT -s 217.26.14.33 -j DROP

There is a better description on how this can be accomplished in an article entitled “IPTables, blocking multiple ip addresses.”

You can also go one step further and block access from an entire range of IP addresses via the file /etc/hosts.deny:

ALL:210.52.213.

As with anything Linux, adding these blocks to your existing security files can be automated, as demonstrated in the SecurityFocus.com post “route add to block IP’s.”

Disclaimer:

As I’ve said before, I’m not a Linux/Security guru. In fact, I work under the premise that one day, a determined hacker will wack my server. Which is why I put so emphasis on backups, restorations and contigency plans.

Still, it doesn’t hurt to lock the doors and windows before you go out for an evening of Perogies and Pickled Eggs.

5 Comments

  1. You amaze me!
    Jesus Junk one day, server securtity the next!

    Thanks for posting your amazing knowledge for us all to enjoy.
    Russ Weitz

  2. My web host uses cPanel. I know enough to check how many people have visited my website and at what times. How would I even check if attacks like this were going on to my website?

  3. Matthew – in a shared environment, the only interesting things I know of are the access and error logs for your domain.

    Off topic – from the previous article, I think the website exists just to sell junk and solicit money for his far flung web empire – he also has a web site design business. I’m scared.

    More off topic – Dean, is it time to re-review the Grace Christian and Missionary Alliance Church?

  4. Since I am in a shared environment, do you think my web host monitors their servers for activity like Dean described in this article?

    About last week’s article, I can’t really tell what the site is supposed to accomplish. When I returned and actually tried to navigate the site, I was presented with a mess that was almost impossible to navigate (not to mention that most links take you to an external site.)

  5. Stupid Australian’s. oh… wait no, that guy was an “austrailian”. we don’t got none of them round ‘ere!

    Anyway, Dean great post :) but do you have any other suggestions or tools to run through logs? I like Logwatch, looks good. I might have to grab it.