frostfiretulsa
n00b
- Joined
- Feb 12, 2012
- Messages
- 14
Hiya all,
This is my first post on this forum... glad I found it tho - seems to be really good for people like me.
I own a small web/VPS hosting company that currently provides service to about 500 clients, the majority of which are in the USA and EU. I have been in business for about 12 years, with my master server's IP and domains staying the same over that period (tho the server has been upgraded twice).
Now... Over the last 6 months (and moreso over the last 2 months) I have noticed a huge increase in hack attempts, the vast majority of which (99%+) are from China IP addresses. When I first started noticing this I wrote a small C# app that runs on my servers that monitor the event log for SQL login failures as well as Simple DNS notifications that a IP was blocked locally (inside the DNS software) for > 15 requests per second over 3 seconds. When detected, the IPs are added to a firewall rule that blocks them for 48 hours. The same app maintains that rule so that expired IPs are removed after 48 hours, etc. Works pretty good... but...
At last count I was getting hit between 10-50 times per second over both DNS and SQL... And while I have not noticed any negative effects on server performance or network traffic (I have quite a bit of bandwidth available), I am worried about this increasing to the point of blocking legitimate server traffic.
Now.. I have grown slowly over the last decade, adding servers as needed here and there, and currently have 10 servers spread across 3 racks at my datacenter, and each server has its own network drop and relies on a software firewall for protection. I am thinking its time to upgrade that a bit... Am going to have them move me to a new rack so all my servers can be together, and want a single gigabit network drop to a hardware firewall, which will then split traffic off to the servers with 10/100 cables (I dont need gigabit to the servers, but need more than 100mb across all 10, if that makes sense).
So... what I am looking for here are ideas on how to do this exactly... I think I have a good plan, but I confess that I am not a network security buff. I am a application developer and I learn quickly with either hardware or software, but I know my knowledge in this area is not up to snuff... so... ideas?
Oh - and another reason for the hardware firewall, as noted in my subject, is that I am considering just blocking all of China's IP addresses from accessing any of my servers over any port other than 80 and 443. Heck, I might even just block them altogether, even HTTP ports. I do not think I have any legitimate traffic from China.
Now, the tough part of that... if I do implement that, I would like to direct blocked HTTP traffic (port 80/443 only) to a website explaining that they are blocked from accessing my servers... possible? What kind of hardware would I need to do that?
If I am totally off base, please let me know that too... my goal here is to block these hack attempts while leaving access to the associated services open.
Thanks much,
Dave
This is my first post on this forum... glad I found it tho - seems to be really good for people like me.
I own a small web/VPS hosting company that currently provides service to about 500 clients, the majority of which are in the USA and EU. I have been in business for about 12 years, with my master server's IP and domains staying the same over that period (tho the server has been upgraded twice).
Now... Over the last 6 months (and moreso over the last 2 months) I have noticed a huge increase in hack attempts, the vast majority of which (99%+) are from China IP addresses. When I first started noticing this I wrote a small C# app that runs on my servers that monitor the event log for SQL login failures as well as Simple DNS notifications that a IP was blocked locally (inside the DNS software) for > 15 requests per second over 3 seconds. When detected, the IPs are added to a firewall rule that blocks them for 48 hours. The same app maintains that rule so that expired IPs are removed after 48 hours, etc. Works pretty good... but...
At last count I was getting hit between 10-50 times per second over both DNS and SQL... And while I have not noticed any negative effects on server performance or network traffic (I have quite a bit of bandwidth available), I am worried about this increasing to the point of blocking legitimate server traffic.
Now.. I have grown slowly over the last decade, adding servers as needed here and there, and currently have 10 servers spread across 3 racks at my datacenter, and each server has its own network drop and relies on a software firewall for protection. I am thinking its time to upgrade that a bit... Am going to have them move me to a new rack so all my servers can be together, and want a single gigabit network drop to a hardware firewall, which will then split traffic off to the servers with 10/100 cables (I dont need gigabit to the servers, but need more than 100mb across all 10, if that makes sense).
So... what I am looking for here are ideas on how to do this exactly... I think I have a good plan, but I confess that I am not a network security buff. I am a application developer and I learn quickly with either hardware or software, but I know my knowledge in this area is not up to snuff... so... ideas?
Oh - and another reason for the hardware firewall, as noted in my subject, is that I am considering just blocking all of China's IP addresses from accessing any of my servers over any port other than 80 and 443. Heck, I might even just block them altogether, even HTTP ports. I do not think I have any legitimate traffic from China.
Now, the tough part of that... if I do implement that, I would like to direct blocked HTTP traffic (port 80/443 only) to a website explaining that they are blocked from accessing my servers... possible? What kind of hardware would I need to do that?
If I am totally off base, please let me know that too... my goal here is to block these hack attempts while leaving access to the associated services open.
Thanks much,
Dave