Fine tune your web server

After finally getting this web site back on line, all the nitty-gritty stuff done I looked at the logs to see what the server and web sites were doing, in a way I was shocked and in another I knew that my web sites would be hacked (or least someone would try) because I have a static IP and it has been advertised for over fifteen years...

Fine tune your web server

You could leave it alone however have you looked at the web site logs?

Have you set up the logging yet?

In the log for today how many entries have this word in it: bot

I use Notepad++, when I high light bot I see loads of entries that are a search engine bot come to index my site, now that is great! Ahhhh, maybe, maybe not...

Did you know there are bots from "search engines" that will copy your content? Especially images, pdf's, or archive files such as zip, rar, gz.

When I see a bot stop by my site and the list is all images (.gif, .png, .jpg and .avi) I became suspicious, I searched for and found an article or two that explain why a bot is only searching for images or video... They are stealing the content!

You may want to search for this term also: request filtering

Also look at your Logging module and change some of the parameters that are logged, you specially want to log "User_agent", and if it isn't set you may want to do it daily vs weekly, also un-check the "Do not create new log files" and then keep an eye on those logs.

Fine tune your web server

How about your Server Event Log,?

Specifically "Security", buy that I mean filter the log for "Audit Fail" if you see a lot of failures look at the text of the failure. When you look at the text do you see:

Account for Which Logon failed:

Under that Account Name: Administrator

Then under Failure Information you will see Failure Reason: Unknown user name or bad password

At the time I discovered this there had been over 1500 entries and the server had been on the line and connected to the internet for under two hours!

Time to take action!

What did I do besides disable the nic for the router to stop the incessant bombardment of the Administrator's user ID? I proceeded to turn off all the open ports that M$ opens to ANY connection!

 Having done my "Best Practice" of renaming the account Administrator to something else and set the password with complexity that wasn't the problem, the problem was the Web server was visible to any port! Not limited to ones I would be using. Someone was running a dictionary attack on that user ID, I counted twenty different IP address before I clear the log and went on to work on the firewall...

Fine tune your web server

A story of two failures:

In early twenty-nineteen my blog was hacked, more than likely a young inexperienced hacker because all that they did was put a bunch of nonsense links in the content. However it was so bad that using MySQL and a few query's I couldn't clean it out. I could have deleted the web site from MySQL and used by back up bit I was so disappointed in myself I shut it down.

After that I went though all pages on this web site and didn't see any problems.

What I need to do was find out where my failure was - it was not the server or the firewall... It was the blog software that let a bogus user id and password through... Even though I had the software set that all users had to be approved.

That was when I decided I needed to upgrade Wordpress and with that PHP. My problem was I was running Server 2003 and IIS 6. Wordpress 5.4+ would not load on IIS 6.

To keep my site I had to upgrade the Server OS, well ok, I found Server 2008 R2 faily cheap (by cheap, get cheap -- look familiar?). I backed up my web sites and proceeded to install the newer OS, the computer I was using was a fairly old ASUS Laptop with a Core 2 Quad that ran at 2.5 GHz and has 8 GB of ram. Server 2008 R2 loads and runs quite well, IIS 7.5 loads and runs... kinda. It is too slow, so I decide to leave that OS in that laptop and install another 2008 R2 I a have (I bought 3 cd's with 5 CAL license) on another ASUS Laptop with an i5 2.5 GHz processor and 8 GB of memory. I install IIS 7.5 and copied both web sites to the install, they run fine and the computer doesn't drag. Ok, up grade PHP and Wordpress, all working fine.

Then comes the proverbial curve ball: H T T P is dead, long live HTTPS! I have had this web site since 2007 and with the ups and downs you experience with a web site well... you know (if you would like to read the history of this web site see the About Me page).

I go through the change over to HTTPS, IIS 7.5 will not support more than one web site and certificate on port 443! I found some work around articles... none worked for me so I upgraded to Server 2016.

A little long winded with the why, now to the cure:

I went to tune the Firewall settings a had a look around, all the "Default" settings for inbound are set for ANY / ANY that means that the rule might say "Email Account" however instead of the inbound rule saying port 25 it was set for ANY port! Same for the outbound.

So basically all ports were open!

From port 0 to port 64,848 were open to anyone who wanted to connect! Nice, a hackers dream come true.

Want to know what is open on your server before you do any work? Try this: netstat /a /o /n

Quite a list, eh? (Hint: if a port is open but no connection you will see "listening"; if it is connected you will see the ip of your nic and the address of the connecting computer/service and the port number.

What I did on the inbound side was to "Disable" not delete each rule. At first I deleted a bunch of rules then ran the netstat, no change those ports were still open. I reloaded the default rules and then went through some and disabled them. After running the netstat again the list was shorter.

I had tuned about half the list just before my Wife called time one (time to turn off the lights...) but --

When I opened up the firewall interface in the morning a lot of the rules I disabled were back to enabled, and a couple I deleted (XBox, ect) were back!

The only thing I could think of that could have done that was an update from M$ because the internet nic was still disabled and the local network nic goes through a proxy to get to the internet.

Because this is a dual homed computer I want to be able to ping it when it restarts or if I think it is having problems so the private network side will get a little more open ports than the internet side.

Fine tune your web server firewall

After disabling all the rules I went back and did this with the rules I wanted to open on the network side:

To use ping from my computer to the web server on the network side I had to open the "File and Printer Sharing Request ICMPv4-in"

As you can see the port is wide open to anyone...

Fine tune to keep the computer from replying I use the Scope page to limit what IP that the service can listen on. You can use one IP or a range for the block "These IP Addresses".

(Note: I have the router set to ignore ping requests, however that is for the ISP address, this server is in a DMZ and will respond, well it did now it won't! Now that is fine tune...)

Internet side:

Sample of a rule that is disabled:

As you can see the port that is open on this rule is 2177, one of the few with an actual port.

Because I don't use any of the rules on my network side it will not effect what I do from that side of the firewall.

Fine tune for this one I made for my email server, it only needs one inbound port.

The port is 587...

The internet side open ports I have are:

Port 80 (I may close the inbound rule soon, you can only connect to my sites with SSL ie: HTTPS)

Port 443

Port 587

Port 995

How did I solve the problem with the Firewall Rules reverting? On the Firewall app Advanced page in the right hand column are a few words: Export Policy and Import Policy

I have done the export after each batch of changes, I have not done an import yet however the rules have not changed since the first time. (And I make images frequently of the system and web drives...)

A short story:

My email server was having problems connecting and saying connected when I was setting it up. I used telnet to connect, sometimes it connected and then it stopped connecting. It was driving me crazy, it would connect yesterday all day fine, then the next morning it would not connect. I fiddled with fine tune the firewall for three days, uninstall, reinstall, configure, reconfigure...

Then I decided to make an image of the System drive and the Web drive, when I was done I restarted the computer. The email was working before I shut it down to do the images, now on restart it doesn't work. I was having another problem with another service that would't fine tune and did a search on why some network service applications with a service that starts on startup would drop off.

I  find out some network apps with a service that starts on startup will disconnect (and still be running!) if there isn't any network connectivity.

I stop the email service then start it, I can telnet into the email server... So I did a little search on delay time for autostart a service, you can set the delay in micro seconds from 100 to as far as 60000, 100 microseconds to a full minute (there article and some comments left me with the feeling it could be a higher amount of time). So I set it for autostart delay, will see in the next day or two if it still drops off may have to do some more fine tune.

So if you are having difficulty with fine tune an application you may want to look at using the startup autodelay.

Fine tune your web server and don't want just any "search engine" indexing you web site?

You may want to search for this term also: request filtering

You can turn this feature on with the Server Manager, however it is limited in it's use unless you happen to know how to use powershell or VBScript. I don't however I did find a nice article on using this feature to block bad neighborhood bots!

I followed the article and setup the request filtering, add the script provided by the author, added a bot that the only thing the bot did was search the images, and now when it stops by the log shows a 404 for it. Cool! Bock hackers, DoS attacks and bad bots... now that is a fine tune of my web sites!