Need new antivirus/firewall

[whythis]

I am tired of having to redo my 2K server because of Trojans, boot viruses, etc., that gain access through the router (Linksys), firewall (Zone Alarm Pro) and antivirus (Panda). I configured all very carefully, and sometimes it seems to me that the more ports you block in a firewall, the faster they get in. This time the problem hit the ram and possibly the hard drive; possibly a boot virus from the symptoms.
At this moment I am writing zeros to my 2 drives on the server. It'll take all night, and then the configuring begins. Somebody should hang these jerks.
I would greatly appreciate tips on firewalls and antivirus that can really do the job for 2K Server, preferably companies that actually give access to themselves and respond to support problems. (Years ago, I swore by McAfee).
Thanks,
whythisagainwhythisagainwhythisagainwhythisagainwhythisagain

 

[LiNetTech]

Have you tried to configure that server of yours with routing and remote access r/rass ! If buy chance you did you would be able to filter out the same ports but as a back up for the linksys router that you are using ! I could bet that if buy chance you did configure routing and rass and you looked at your tcp / udp connections behind the firewall and your current version of firewall you would be amazed at what you do see ! Then filter out some of those ports With in win 2k server ! You could filter out ranges of ip's as well as everything a liknsys router would do other than that i also suggest getting rid of that default password for that router Its Admin on everyone of them out of the box ! and Never log on to your windows server as administrator Unless you have to , and as soon as you are done Logg off and logg on as a user with little or no permisions ! To many people use the administrator account as an everything user ( wich they are) but if you stay as administrator and leave the server running 24/7 and someone gets in He's gonna have fun !And I cant STRESS THIS ANYMORE TO DISABLE THE GUEST ACCOUNT ! I do beleive that that linksys router is something far beyond fool proof ,and firewall programs are real nice Lol they create very big logg files of who and what , and have a nice GUI ! I do believe that an OS based router would be your best bet and as a secondary firewall it's a good idea past the Linksys router !
Look under my threads you will see FIREWALLS You should see some interesting things !
Have fun Anthony Cabanas (MCSE Win 2K)
Network admin / Infrastructure designer / Security consultant
Long Island Networking Technologies Inc acabanas@linettech.com

 

[fuunstatic]

here's some tips to consider depending on the budget at hand

1. setup a DMZ
2. set up NAT to hide you internal network ipaddress
3. use checkpoint firewall to close off ports you don't need etc includes stateful inspection (don't use a software based one)
4. turn off icmp reply on firewall
5. use an email scanner to detect attachments and block viruses etc
6. use a proxy for internet access
7. use RAS if you have to but seek a more secure option eg tokens etc where only the real user has one

this should help esp no.2

also rename the administrator account to something else and create a fake administrator account with access to nothing

take images of your server after being built at least you can rebuild them quickly if all else fails "Work to live, don't live to work"

"The problem with troubleshooting is that sometimes it shoots back"

 

[whythis]

I use a Linksys router and I don't believe the NAT can hide the internal IP address. Also, if they know the standard private IPs of routers, they can just run through the possibilities, checking, I believe. I run web pages from this server, and don't have extra machines to use as a DMZ or proxy. I had my firewall (Zone Alarm Pro; I intend to change that and the antivirus, Panda, to something else) configured to block all ports I didn't need to use for the websites. As I use a recursion utility, I do not need or use port 80. I also have the incoming web requests rerouted to a different internal port for each site. Of course, I keep everything backed up religiously, but I still have to spend several days reconfiguring it all whenever one of these jerks gets in. Whenever someone accesses a website, they get the WAN IP address, and there's nothing I can do about that. I don't know how to use tokens in RAS. Any suggestions about how to do that, and will it work with a web server?
Thanks for all your help, kids.
whythisagainwhythisagainwhythisagainwhythisagainwhythisagain

 

[whythis]

LiNetTech:
I thought that in order for the web service to serve the websites, the computer needed to be on the Administrator's account? Not true? There's still a lot I don't know, and you don't get it from Microsoft, either, like every time you reboot it reshares out all your folders, and even if you unshare the C: drive, the WINNT folder is still share out! I disable the Guest account, but not the Guests Group, as the IIS service uses that group. Thanks for your help.
whythisagainwhythisagainwhythisagainwhythisagainwhythisagain

 

[LiNetTech]

Wow man ooofff ! Iwould suggest as yourbest bet to try and save up a few Bucks and get a few more boxes and run them for your indiviual needs , Granted money doesnt grow on trees ! Man alive As fast as we could learn something to Better ourselves and become It Pro's Theree is some 15 year old kid in the boonies somewhere with nothing to do But read books and hack hack and hack ! You are 100% correct about someone should hang these jerks ! But the lesson leanred to become better at what we do as well as Get the practice we need its kind of strange on how You and i hate Hackers but in somw strange way i thank them for the practice we get to learn how to kill them ! And keep them out ! .......................


Your question : . I don't know how to use tokens in RAS. Any suggestions about how to do that, and will it work with a web server?
I will give it some thought and get back to you soon If possible e-mail me with the question and i will reply to you as soon as i can !
Take care
Anthony Cabanas (MCSE Win 2K)
Network admin / Infrastructure designer / Security consultant
Long Island Networking Technologies Inc acabanas@linettech.com

 

[whythis]

Yeah, I keep trying to catch them, but as the Firewall ain't catching their intrusions, it's not giving me their IP's either, and even if you could pinpoint who they were, what can you do about it? (I mean legally.)
Thanks whythisagainwhythisagainwhythisagain

 

[LiNetTech]

Okay did you try the Netstat command in dos Go to Dos and type in Netstat ? , then you will be able to see all of the commands functions as we;ll as see what's going on tcp/udp ports ! Then get the DNS name and do a Tracert on the name or also tracert ? Is an option for help on the tracert command ! If you are running black ice's firewall you could go to the advice tab at the bottom of your detection list then look for How do i Report this hacker to my isp ! Normaly they give you the whole subnet that the attacker is on Just look for phone numbers to call , then call them up and specify to them that you are The President of a company and the attacker is getting in to do malicious attacks on your personal buisness computer / server They will confront the person or sometimes have you personaly speak to them !
lINK ON SECURITY

HTTP://NSA2.WWW.CONXION.COM

have fun god luck ! Anthony Cabanas (MCSE Win 2K)
Network admin / Infrastructure designer / Security consultant
Long Island Networking Technologies Inc acabanas@linettech.com

 

[whythis]

I don't use Black Ice, but I do use Netstat very well, and with all the ports being accessed it's hard to tell which ones the hackers are using, and they have to be using them right then, as well. I closed off nearly all ports in my firewall and the more you close, it seems the faster they get in. I can't close off ports in 2K Server TCP/IP utility, because my ISP uses quite a few different ports and they are always changing them. I also use trace route and NSLookup to look up IP's identified by the firewall and/or the counter service on the website, which is down now. I'm having other problems. I got DHCP configured again (after putting it all back up), but now I can't get the IIS service to run. I've uninstalled and reinstalled it several times; no go. Can't restart it in Services if it AIN'T IN THERE! Thanks for your help.
whythisagainwhythisagainwhythisagain

 

[LiNetTech]

Wow man jesus do you think some one was either running or trying to run a bogis web site on your box ! Man i have seen this before i got a wierd web site running on my box last year ! And the site was all black with red letters saying F#ck USA Government
F#ck PoizonBox
Contact:sysadmin@yahoo.com.en
Now sounds like you are having some serious issues and I am going to do the best i can to help you resolve it ! If buy chance i come accross something help full (wich i hope i do ) i will let you know ! A.S.A.P Anthony Cabanas (MCSE Win 2K)
Network admin / Infrastructure designer / Security consultant
Long Island Networking Technologies Inc acabanas@linettech.com

 

[LiNetTech]

Hey do you think its a quick quess , that someone has you locked down buy Mac address on your nics i would change them ! quick fix and a cheap one ! Its a long shot but who knows ! I am working on idead for the Iss isssue you are having !
Anthony Cabanas (MCSE Win 2K)
Network admin / Infrastructure designer / Security consultant
Long Island Networking Technologies Inc acabanas@linettech.com

 

[whythis]

You might have a good guess with the NICs. I can't configure anything in the BIOS, either. It freezes. Actually, I know of two (word beginning with "A", two syllables for part of the body) who got my IP and are into "messing with others", and especially me, according to info I've accumulated. I think this time they did serious damage. I am for the second time reinstalling 2K Server, as I could not get IIS to take, and when I tried to remove it and reinstall it, it froze the system. It didn't even show in Services at all. I've tried restarting it from the command prompt before with no luck. I was having quite a few problems with this install, so I started over. From my experience, 2K Server sometimes goes on great and sometimes it doesn't. It also might have been SP2 that caused problems. God knows: so much can mess up! Hopefully before Monday night I'll have a web server again. And I know what you mean about bogus sites using your server. Someone had a mail site running from my server last year. Shut it down several times; kept coming back. I believe the problem I have now is Trojan-related. Thanks for the input and have a good weekend. Tomorrow is Super Bowl Sunday, if you're interested. I didn't know, because I haven't had time to do anything but this stuff for a long time. Get some beer if you don't have any, any munchies and enjoy.
whythisagainwhythisagainwhythisagain

 

[LiNetTech]

Raiders .............. Hey i have herd of sp3 creating nightmares , but off to bed Had along night Playing around with a linux box , I am puting up a linux router past a linksys router , to a Dmz then off to a win2k router / dhcp / dns server ! Ah the joys of new tricks for security !
Its a pain but it might work !
Take Care Anthony Cabanas (MCSE Win 2K)
Network admin / Infrastructure designer / Security consultant
Long Island Networking Technologies Inc acabanas@linettech.com

 

[DravenX]

Due to cost considerations, I am using a combination of BlackICE and Norton AV 2003. I have found BI to be very powerful and easy to configure due to the fact that you can block ranges of ports as well as individual ports and IPs. In combination with NAV, I have yet to experience any problems. As a side note, I have been using BI for about 4 years and have yet to be hacked on any machine that I have had it on. Just a suggestion.

 

[whythis]

I didn't think Norton AV worked on server. I tried to get it last year, and it was only for 2K Pro. Will try again, and Black Ice as well. Thanks
whythisagainwhythisagainwhythisagain