Installing vsftpd allows you to upload files to a server, the concept is comparable to that of Google Drive. When you invite specified users to your Google Drive they can create, delete, upload and download files all behind a secure login. Vsftpd is excellent for company’s looking for an alternative to Google Drive or for anyone who wants to create a robust server. This “Very Secure File Transfer Protocol Daemon” is favored for its security and speed and we’ll be showing you how to install vsftpd on an Ubuntu 16.04 LTS server. Continue reading “Install vsftpd on Ubuntu 16.04”
When connecting to a server, many aspects can cause your connection to not complete correctly. Here are some aspects to check before jumping to conclusions. Continue reading “Troubleshooting: Server Connection Errors”
One of the simplest goals of server security is keeping administrator credentials private. There is no better way to achieve this than through strict firewall rules that only allows specific IPs to authenticate. However, there are some situations where it is necessary to open a login prompt to the broader Internet. In this case, the only thing barring anonymous internet users from unauthorized access is your password. The stronger your password, the better off you are, but even the most cryptic passwords can be guessed given enough tries.
Malicious Activity Detector (MAD) helps protect you in these instances. It functions by monitoring login attempts to several services, and if it detects malicious activity, it applies a temporary block on that IP. If more attempts come in, the block continues to last longer. This method is exceptionally effective in preventing a successful brute-force attack while limiting the number of system resources expended.
Installation of MAD
Depending on the configuration and age of your server, you may already have it installed. Check the installation status by looking for an item in your Start Menu shown below.
The program path is C:\Program Files (x86)\Liquid Web\MAD\MADGUI.exe
You may also check if “MAD.exe” is running from your Task Manager. If you don’t see it there, please Contact Support so that we may get it up and running for you. Once running, we can move on to the configuration.
MAD’s default settings offer protection for the most vulnerable services, and extra configuration is not required. That said, you may find yourself wanting to change its behavior, and we’re happy to give you the tools you need.
Let’s start with the most common change you may want to make: whitelisting and blacklisting. Opening the MAD Configure utility will get you on the right page. From here, you only need to choose the radio button for the list you want to modify, enter the IP, and click the button. You can remove entries in either list by right-clicking. This page also allows you to start or restart the service, but you shouldn’t need to use those functions.
The next page is where most options are located. All of the service scanners list three choices for each: Enabled/Disabled, BlockThreshold, and Retention.
Enabled/Disabled -You may want to disable scanners for services that you do not have installed, but it is generally recommended to leave all options enabled due to minimal performance cost.
BlockThreshold – This setting controls how many ‘strikes’ it takes to be blocked. These are set fairly high by default to avoid affecting legitimate users, but you may want to lower the threshold to increase MAD’s sensitivity.
Retention -This refers to the size of the window that MAD looks at to determine if a user has met the BlockThreshold in seconds. By default, this is set to 300 (five minutes).
PermaBlock – Sometimes robots can’t take the hint after being temporarily blocked several times in a row. The PermaBlock list remedies this situation. By default the retention period is 2 hours, this scanner checks for IPs that have been temp blocked five times (or your custom BlockThreshold). If it gets a hit, it does as the name implies and adds it to your blacklist, where it is managed much like manual entries.
AuditPolicy – This setting determines if MAD is allowed to edit your login event auditing policy. Disabling AuditPolicy is not recommended and may prevent MAD from working as intended.
TempBlockTimeout -When a block is triggered on one of the scanners the offending IP address will be blocked for this amount of time. Measured in seconds with a default setting of 900 (15 minutes).
Reviewing MAD Logs
MAD creates logs of all of the actions that it takes. It is good practice to review them regularly to see what has been going on. For example, if a certain service seems to be getting attacked more often than others you may want to consider hardening your firewall rules or MAD’s configuration itself.
MAD also creates events in Windows Event Viewer under the ‘Applications and Services Logs’ folder. These events are most helpful for long-term investigation, as the folder will hold historical data for quite some time.
MAD for Windows is an excellent tool in your security arsenal, but a proactive plan is always better than a reactive one. We recommend utilizing Windows Firewall to ensure that only things that must be publicly accessible are. For further reading on security visit some of our other articles:
VNC (Virtual Network Computing) is a method for sharing a remote desktop environment. Allowing you to remote control another computer or server over the Internet or local network as if you were sitting in front of it. Keyboard and mouse strokes from your computer are relayed to the remote computer/server. There are many different kinds of VNC softwares available today. Several are cross-platform and add additional features, such as chat or file transfers. VNC is often used for remote technical support and remotely accessing files.
What is TeamViewer?
Remote Desktop Protocol (RDP) is the easiest and most common method for managing a Windows server. Included in all versions of Windows server and has a built-in client on all Windows desktops. There are also free applications available for Macintosh and Linux based desktops. Unfortunately, because it is so widely used, RDP is also the target of a large number of brute force attacks on the server. Malicious users will use compromised computers to attempt to connect to your server using RDP. Even if the attack is unsuccessful in guessing your administrator password, just the flood of attempted connections can cause instability and other performance issues on your server. Fortunately, there are some approaches you can use to minimize your exposure to these types of attacks. Continue reading “Improving Security for your Remote Desktop Connection”
Remote Desktop Protocol (or RDP) is the most common method of gaining administrative access to a Windows server. RDP is available on all versions of Windows server and a client (called Remote Desktop Connection) is included with all versions of Windows desktop operating systems. Clients are also available for Macintosh operating systems from Microsoft in the iTunes store and for Linux desktops with applications like FreeRDP. Connecting to your server via RDP allows you full control of the server desktop environment, just as if you were sitting in front of the server’s monitor and keyboard. Depending on your permissions and settings, you can copy and delete files, change file permissions or settings, and even print documents from the server.
Using Remote Desktop Protocol to manage a Windows server generally requires a few basic settings and information about the server.
- First, the Remote Desktop Service must be running on the server to which you would like to connect (RDP uses port 3389 by default).
- Second, you need to know the IP address of the server.
- Third, you must have a username and password that is allowed to connect to the server remotely (often, this is the primary administrator account, but can also be a secondary account set up specifically for remote access purposes).
- Finally, the Windows firewall (and any other hardware or software firewalls) needs to be configured to allow Remote Connections from your location.
Once you have all of the correct settings enabled, IP address and user account details, you can connect RDP to your server! Just launch the RDP client, enter the IP address of the server and the user credentials, and log in to the server using what looks like the standard Windows desktop environment.
As helpful as the Remote Desktop Protocol can be when it comes to managing your Windows server, there are also times when the connection fails, which can be very frustrating as the error message is generally not very helpful (often just the window shown below).
The error shown above means that for some reason, your client was unable to make a connection to the Windows server via the Remote Desktop Protocol. When you are experiencing connectivity issues, there are many items that you can check to try to resolve the problem.
- Ensure you can reach the server via ICMP (or Ping). Most desktop operating systems will allow you to send small bits of information to the computer to verify connectivity and connection speeds. Generally, you just need to open a terminal window (on a Windows desktop, press the Window key, then type cmd and press enter) and enter the following command: ping IP or ping domain.tld. Normally, you’ll receive an output that is similar:
- This output shows the pings were successful to the destination and took between 50 ms and 150 ms to complete. These pings indicate a successful connection to the server as desired (at least over ICMP). If the output for the command shows a failure to respond, we know there is some network interference.
- If the ping test fails (indicated by repeating asterisks), check your internet connectivity to guarantee that you can reach other resources on the internet. If not, you may need to contact your local service provider to restore your internet access.
- Reaching other internet sites but not your server indicates your server is refusing connections from your IP address (due to security software or firewall settings). You may need to contact your hosting company to verify there is not an IP address blocked by your server. You can find your current public IP address by going to https://ip.liquidweb.com.
- Can you ping your server, but still can’t connect over RDP? It is likely an issue with the RDP service or your firewall. You’ll need to contact your hosting company to get assistance with the service or firewall.
Best practices in configuring a firewall is to allow the least amount of access necessary for the various connections to the server. Limiting the connections to a particular service like RDP is called “scoping” the access for that service. If your configured Windows firewall scopes traffic on RDP, it’s possible that a user may not be able to connect due to their IP address not being included in the rule. Access to the server via RDP from one user but another user is not, check the firewall; their IP address may not be included in the allowed list of IPs for Remote Desktop Access.
- Log in to the server, click on the Windows icon, and type Windows Firewall into the search bar.
- Click on Windows Firewall with Advanced Security.
- Click on Inbound Rules
- Scroll down to find a rule labeled RDP (or using port 3389).
- Double-click on the rule, then click the Scope tab.
- Make sure the user’s current IP address is included in the list of allowed Remote IPs.
If you are unable to connect to the server from your location, contact your hosting company for help in checking the firewall rule for RDP access.
User Connectivity Problems
Can you connect to RDP using the administrator account, but one or more of the other accounts cannot? There may be a problem with the user account permissions.
- Make certain the user is a member of the Remote Desktop Users group. Log in to the server with the administrator account, then go to the Local Users and Groups control panel (Open Administrative Tools, then open Computer Management).
- Navigate to the Remote Desktop Users group and verify that the user is a member of the group. If they are not a member of the group, add them as a member of the group.
- Go to the username under the Users tab. Make sure that the user account is not locked out. Accounts can get locked out due to too many attempts to log in with an incorrect password (either by the user or by a brute force attack on the server).
- Double check the firewall for the IP address of the user and add to the scope of the RDP rule.
No Available Connections/Sessions
By default, Windows server only allows two users to connect via RDP simultaneously. If both sessions are already in use, you will receive an error indicating that no additional users are allowed to connect at this time.
To resolve this issue, you will need to wait until one of the other users logs out or you’ll require to purchase additional RDP user licenses from your hosting provider (assuming that you regularly need access for more than two users at a time).
Failed login attempts during a brute force attack can sometimes take up RDP licenses, even though the session isn’t connecting. If you are experiencing unavailable sessions even when no one is logged in to the server, it’s possibly the result of a malicious login. The best remedy for this situation is to scope the firewall rule to prevent access attempts from unauthorized IP addresses.
Data Encryption Errors
If you are using an out of date Remote Desktop Client or are connecting to an older Windows server, you may receive an error that there is a problem with the TLS settings for the connection. Generally, you can resolve this issue by updating your RDP client software on your workstation. It may also be possible to set the client to ignore these errors, but that could leave your workstation and your server vulnerable to malicious attacks.
If you are using RDP and suddenly lose the connection, the issue is almost always related to your internet connection. Check to make sure that you can stay connected to other services (like running a ping command in the background). If you are not losing internet connectivity, it’s possible that the server is running out of memory or the RDP service may be experiencing an active attacked in a brute force attack. If you’ve confirmed that your internet connection is stable, contact your hosting company to make sure that the server is not the cause of the lost connection.
Slow Connection Issues
If the connection between your location and your server is slow your Remote Desktop Session may not function as smoothly as you would like. However, you may be able to adjust the Desktop Environment settings of the connection before you connect to simplify and speed up the connection.
- Open the Remote Desktop Client application (these directions are for the Windows built-in client, but most RDP clients have similar settings available).
- Click on the Experience tab to see the various items you can choose to enable or disable to improve your connection speeds. Change the drop-down to select a specific connection speed or select/deselect the various items to optimize performance.
Windows 10 Update Issues
Oddly enough, Microsoft updates often cause problems with RDP connectivity. As recent as April 2018, an update on both the server operating system and the Windows 10 desktop operating system caused connectivity issues for many users. Generally, the best policy is to update both the server and workstation, as connectivity issues most often arise when the two systems are not on the same update cycle. You may be able to resolve a new connectivity issue by removing a recent Windows update (either on the server or the desktop). Many users also reported that disabling the Printer option from the local resources setting resolved the most recent connectivity issue.
While RDP is a great tool for managing your Windows server, connectivity issues can be frustrating. By working through the possible causes of the connection problem, you will generally be able to get reconnected and working again in no time!
A few configuration changes are needed as part of the basic setup with a new Ubuntu 16.04 LTS server. This article will provide a comprehensive list of those basic configurations and help to improve the security and usability of your server while creating a solid foundation to build on. Continue reading “Getting Started with Ubuntu 16.04 LTS”
Broken down into two parts our article’s first section hits on “how to whitelist IPs or URIs,” for people who are somewhat familiar with ModSecurity but want to know further about the process. Our second section examines why we configure ModSecurity and how to prevent the security of the server from getting in the way of our work. If you have a Fully Managed Liquid Web server reach out to our Heroic Support team for assistance with whitelisting! Continue reading “Whitelisting in ModSecurity”
Basic Firewall Rules
In a firewall rule, the action component decides if it will permit or block traffic. It has an action on match feature. For example, if the traffic matches the components of a rule, then it will be permitted to connect to the network. It is essential to consider the potential security risks when modifying a firewall rule to avoid future issues. Following best practices for configuring firewalls can help you maximize the effectiveness of your solution.
In network security, the first line of defense that should be used is a firewall. What is a firewall? It is a protective layer for your server that monitors and limits the incoming and outgoing network traffic. It uses a set of rules to determine to allow or block specific network traffic. Firewalls can prevent unauthorized use before reaching your servers. Firewalls can be hardware or software based.