Pingable Cloud Server IP - Security Risk?

KapsZ28

2[H]4U
Joined
May 29, 2009
Messages
2,114
I thought one of the biggest rules to servers on the Internet was for their IP address not to be pingable? We have a server setup using a company that offers cloud services. The server is only used for QuickBooks and we connect to it through RDP. Shouldn't the firewall be setup so that only RDP is accessible?

The server has only been up for just over a week and there are already 45,000 failed authentications from multiple IP address with quite a few different usernames that someone is trying to use.
 
Most "cloud" providers barely have any firewall in front of a server if any at all.. Generally it is up to you to run a software firewall on it (which windows firewall with advanced security does well enough).

And it's generally a rule of thumb that any server online will always have failed logins if you have ssh/rdp open.
 
Gotcha. I've been trying to get them to purchase AV with built-in firewall, but they have not done it yet. I just thought it would make more sense to have a real firewall up front to offer better security to your customers.
 
They are also using Internet Explorer on this server to browse the Internet. So protected mode is disabled in IE. How much of a risk is this?
 
You should never "browse the internet" on a server. Never. Tell them to use their own damn computer for that and the cloud server just for QB.
 
You should never "browse the internet" on a server. Never. Tell them to use their own damn computer for that and the cloud server just for QB.

Tried to. They don't listen. I wanted to use Server 2008 R2 with RDS over web and just publish QB. But they got 2008 R1. So I set it up so that QB launches automatically and you can't see the server desktop. Then I was asked to turn that off and let them log into the server with the full desktop enviornment. This whole project is stupid.
 
They are also using Internet Explorer on this server to browse the Internet. So protected mode is disabled in IE. How much of a risk is this?

lol, remote into server, browse internet... heh
 
Tried to. They don't listen. I wanted to use Server 2008 R2 with RDS over web and just publish QB. But they got 2008 R1. So I set it up so that QB launches automatically and you can't see the server desktop. Then I was asked to turn that off and let them log into the server with the full desktop enviornment. This whole project is stupid.

I would personally be working on my resume at this point, since it's obvious these people have no fucking idea what they're doing and you're going to get blamed when the shit hits the fan.
 
I thought one of the biggest rules to servers on the Internet was for their IP address not to be pingable?

It is called "security through obscurity". Just because a host isn't pingable doesn't mean it is not there. Tools such as Nmap can be easily scripted to just scan common ports and report if they respond.

While it may reduce some attempts by extremely new script kiddies, I wouldn't expect a significant drop in intrusion attempts.

We have a server setup using a company that offers cloud services. The server is only used for QuickBooks and we connect to it through RDP. Shouldn't the firewall be setup so that only RDP is accessible?

Generally that would be best practice. Close everything and only allow those ports which are necessary.

The server has only been up for just over a week and there are already 45,000 failed authentications from multiple IP address with quite a few different usernames that someone is trying to use.

Automated scripts. Best thing you can do is make sure the accounts on your server are not using weak or common passwords.


They are also using Internet Explorer on this server to browse the Internet. So protected mode is disabled in IE. How much of a risk is this?

Highly risky. Drive by malware is commonplace and while a majority of it can be cleaned using a combination of Malwarebytes, Antivirus, Combofix, it requires a great deal of time to run, monitor, and review the scans.

I've seen malware that hides itself so well, security software reports the system clean, yet if you pull the hard drive and scan from another system, it shows multiple infected files. You simply don't have the luxury of pulling the hard drive on a "cloud" server.

Can the business sustain an entire day of downtime without access to quickbooks so you can clean the server?

Is the business willing to take the risk of information in Quickbooks becoming compromised due to a malware infection?

Are you willing to put your job on the line declaring the server is 100% clean after a malware infection?

If I were you, I'd make sure you get everything in writing and that includes higher ups signing off that they are not going to hold you responsible for any security breaches.

On another note........ Why Quickbooks on a terminal server? Quickbooks online is available and web based.
 
I would personally be working on my resume at this point, since it's obvious these people have no fucking idea what they're doing and you're going to get blamed when the shit hits the fan.

It is 50% a family business. I have a full-time job. Just "trying" to help these guys out. I've told them more than once that I won't support them if they keep doing what they want. I just feel bad since my brother works there too, but the decisions come from our pain in the ass cousin.
 
It is called "security through obscurity". Just because a host isn't pingable doesn't mean it is not there. Tools such as Nmap can be easily scripted to just scan common ports and report if they respond.

While it may reduce some attempts by extremely new script kiddies, I wouldn't expect a significant drop in intrusion attempts.

Just thought it would be a "little bit" safer if it was not pingable.

Generally that would be best practice. Close everything and only allow those ports which are necessary.

Since I can't control the Internet faced firewall, is using the built in firewall with Server 2008 R1 adequate?

Automated scripts. Best thing you can do is make sure the accounts on your server are not using weak or common passwords.

Passwords are complex, but usernames are very simple. Last time I used a username other than just their first name, it ended up being an issue for them. :rolleyes:

Highly risky. Drive by malware is commonplace and while a majority of it can be cleaned using a combination of Malwarebytes, Antivirus, Combofix, it requires a great deal of time to run, monitor, and review the scans.

I've seen malware that hides itself so well, security software reports the system clean, yet if you pull the hard drive and scan from another system, it shows multiple infected files. You simply don't have the luxury of pulling the hard drive on a "cloud" server.

I told them that and said we MUST get AV software on the server if it is going to be used like this. Still hasn't happened yet. I want to use VIPRE Internet Security 2012. They mentioned using Kaspersky. Any suggestions on what would be best? I wanted something with additional Internet Security since they were planning on using IE.

Can the business sustain an entire day of downtime without access to quickbooks so you can clean the server?

Nope, they want ZERO downtime which is why they decided to move to the cloud instead of a local server in the store.

Is the business willing to take the risk of information in Quickbooks becoming compromised due to a malware infection?

I mentioned this as part of my reason to NOT have the entire desktop enviornment open. They want it their way.

Are you willing to put your job on the line declaring the server is 100% clean after a malware infection?

If I were you, I'd make sure you get everything in writing and that includes higher ups signing off that they are not going to hold you responsible for any security breaches.

As mentioned in a previous post. It is a small business, with a couple of family members also being involved. Our cousin is the primary decision maker.

On another note........ Why Quickbooks on a terminal server? Quickbooks online is available and web based.

They use a lot of customizations that are not available in the online version.
 
Just thought it would be a "little bit" safer if it was not pingable.

Since I can't control the Internet faced firewall, is using the built in firewall with Server 2008 R1 adequate?

Passwords are complex, but usernames are very simple. Last time I used a username other than just their first name, it ended up being an issue for them. :rolleyes:

I told them that and said we MUST get AV software on the server if it is going to be used like this. Still hasn't happened yet. I want to use VIPRE Internet Security 2012. They mentioned using Kaspersky. Any suggestions on what would be best? I wanted something with additional Internet Security since they were planning on using IE.

Nope, they want ZERO downtime which is why they decided to move to the cloud instead of a local server in the store.

I mentioned this as part of my reason to NOT have the entire desktop enviornment open. They want it their way.

As mentioned in a previous post. It is a small business, with a couple of family members also being involved. Our cousin is the primary decision maker.

They use a lot of customizations that are not available in the online version.


It doesn't hurt to turn off ping responses, but it doesn't help as much either so if it makes you feel better by having it turned off, then so be it.;)

If you have the ability to use the built in firewall to control what ports are "listening" then I would take advantage of it, however, before doing so, check with the hosting company and find out what ports they already have open or closed.

Antivirus would be highly recommended. Kaspersky, NOD32, and Vipre are fine choices, you just need to figure out which one will be best for your environment. Take advantage of any 30 day trials the vendors may offer.

Zero down time is unrealistic for any small business. It is disturbing how the masses of people automatically assume that anything "cloud" based is infallible.

Family businesses are much more difficult to deal with as I've been there and I have had to walk away when things they were requesting went against what is deemed sound and logical.

Just be sure that all the stakeholders in the business are aware of your recommendations along with any supporting information. That way when something does happen, you have something to fall back on.

CYA:D!
 
It is 50% a family business. I have a full-time job. Just "trying" to help these guys out. I've told them more than once that I won't support them if they keep doing what they want. I just feel bad since my brother works there too, but the decisions come from our pain in the ass cousin.
Ah nepotism. I owe a significant portion of my income to nepotism; fixing shit that the family computer nerd "fixed".

Most recent issue I fixed; business couldn't figure out where all their bandwidth was going. They have a 20/20 going in to the business, but it felt like you were on dialup when browsing websites. Turns out the family IT guy set up a very high end firewall ( old workstation with a linux distro ), installed apache and turned on reverse proxying without understand what he was doing. Needless to say, for several months the business was an open proxy.

When I casually asked him why he did that, it was for security sake; he was using apache as a proxy for the business. He didn't firewall away the port to the outside world because otherwise "Apache couldn't see websites ( with a roll of the eyes )".

I just smiled, and thanked them for the very large paycheck.
 
Zero down time is unrealistic for any small business. It is disturbing how the masses of people automatically assume that anything "cloud" based is infallible.

Tell that to my cousin. He is CEO of the cloud company we are using and their website says 100% uptime. I even told him that is impossible and they shouldn't be advertising it. But hey, I can only do so much. I am the little man here.
 
Tell that to my cousin. He is CEO of the cloud company we are using and their website says 100% uptime. I even told him that is impossible and they shouldn't be advertising it. But hey, I can only do so much. I am the little man here.

Netflix, Blackberry, Amazon EC2, NYSE, Bank of America, and Mastercard have all suffered outages this year. Granted it isn't an apples to apples comparision with a simple terminal server, however, it does highlight the fact that there is no such thing as 100% uptime.

I dare say they spend quite a bit more on their IT infrastructure than your cousin.;)

Ah well... You can only do so much.:D Good Luck!
 
I used Qualys to do a vulnerability scan. Below are the results. Is this bad?

Vulnerabilities.jpg
 
Any IP address is pingable....the key is if it allows replies or not.

I don't worry about hiding ICMP.

Someones wants to check out an IP range they'll use tools that find other services available anyways...poking around for ports or services. Cloud hosts/data centers constantly have their IP range thoroughly scanned...so worrying if the IP(s) you have at that host reply or not shouldn't be a concern...you are going to get poked and prodded by more advanced tools anyways.

Kinda like wireless networks..and people thinking that hiding their SSID will keep them safe. Tools to bust into wireless will still see your wireless network even though you're hiding it.

Have a really good Administrator account password, and a really good user account(s) password. Then...who cares if they're trying to log in.

Also, I would get your host behind NAT. Only open/forward/expose the port you need for your services. (IE 3389 for RDP). Depending on your co-lo host...they can NAT it for you, or...you may have to bring in (or ship them...pre-configured) your own NAT box. If this Windows server has been sitting on this public IP for a while....(like...more than a week)...I would seriously be considering wiping it and rebuilding fresh. If you can't....man, give it a THOROUGH cleaning with craploads of scanning tools. I've had to fix co-lo'd Windows servers before that sat on public IPs...they are usually infested pretty good. To have a Windows server be even remotely partially safe on a public IP..there is a LOT of stripping down/disabling of services involved to lock it down before you plop it out there on the internet on a public IP with its wide open. Make it easy on yourself..and safe for your clients, get it behind NAT!!!!!
 
I used Qualys to do a vulnerability scan. Below are the results. Is this bad?

Vulnerabilities.jpg

As YeOldStonecat pointed out, the only ports that should be open are the ones that absolutely need to be open.

FYI - Check your windows updates and make sure you've applied all the critical, security and high priority updates.
 
It is 50% a family business. I have a full-time job. Just "trying" to help these guys out. I've told them more than once that I won't support them if they keep doing what they want. I just feel bad since my brother works there too, but the decisions come from our pain in the ass cousin.

Ahh. Gotcha.. Best of luck in that case. Been there, done that.
 
As YeOldStonecat pointed out, the only ports that should be open are the ones that absolutely need to be open.

FYI - Check your windows updates and make sure you've applied all the critical, security and high priority updates.

Only the required inbound ports are open, but right now all outbound ports are open. Should the outbound ports be closed as well?
 
Tell that to my cousin. He is CEO of the cloud company we are using and their website says 100% uptime. I even told him that is impossible and they shouldn't be advertising it. But hey, I can only do so much. I am the little man here.

We boasted 100% uptime too.. 11 years of it.. And we finally got spanked in November.
 
Also, who can you get a decent cloud server from? Amzaon doesn't really seem that cheap since no matter what you have to pay by the hour. Right now we are paying $80 a month for 1 CPU, 2 GB RAM, 40 GB hard drive, and 5 terminal services licenses. This is Windows Server 2008 Standard. NOT R2.
 
Helping those morons == lipstick on a pig.

Just let it go, do your normal job. If that is your normal job, start writing applications.
 
Back
Top