Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2976 posts

Uber Geek


# 183725 27-Oct-2015 21:32
Send private message

Hi All, hoping someone can shed some light on what I assumed would be a relatively easy task (but has so far proved anything but!)

I need to get some sort of logging of traffic/requests to a server we have setup, it just needs the IP address and Time, nothing terribly fancy. 

The server we've got setup is running on Amazon AWS in Sydney, an EC2 instance. Running on it is the server side Java application for a uni project, a Tomcat server and a MySQL server. It's not a production server for a company or anything, so I'm not really concerned it just obviously isn't great having random people trying to connect. We keep seeing login requests/attempts for the Tomcat server using root, tomcat, admin etc as usernames but it doesn't provide anything useful other than that. 

Was hoping that if we could find the IPs trying to login, I could add them to a rule in the Windows firewall and block them. My original idea was to do it via the EC2 console, but it has a default rule of block every port and IP, where you have to specify addresses/ports to allow. This wouldn't work as the 3 of us in our project team have dynamic IPs at home, so it would be really tricky to keep up with. 

If theres another solution I'm missing I'd really appreciate it :)
This goes a little bit beyond what I was taught in my classes so I'm kind of out of my depth but really want to learn. The only time we went into the firewall settings in class was to turn it off completely, that is not gonna happen obviously.


Thanks in advance!
_Sam


Filter this topic showing only the reply marked as answer Create new topic


2976 posts

Uber Geek


  # 1415158 28-Oct-2015 02:56
Send private message

Whoah what a night.

So, I figured out what I was doing wrong. I was setting up logging for traffic only on domain networks rather than public. And since it's not connected to a domain it wasn't generating any results. Problem solved!

Now for the juicy details about how I stuffed it all up :)

 

  • Left server running and waited for random to try log in (Figured it's automated because they done 20 attempts in the space of 4 seconds using just 3 usernames, none of which existed). 
  • Checked log, cross referenced the timestamp and got their IP. RESULT!
  • Made a new firewall rule to block all traffic to that IP. Got super confident because I figured out my original problem and just skip through the steps. Hit save, system locks up. Realised the second my mouse stopped moving that I'd never entered the IP address, and must have selected the wrong option and blocked ALL traffic on ANY port including RDP. Since this was hosted on AWS I didn't have access to the server physically, and locked my dumba$$ out.


For future reference incase anyone is as dumb as I was (but highly likely tbh) or I repeat the same mistake tomorrow:

 

     

  1. Shutdown instance 1 and detach root volume 1 (through Management Console) or AWS CLI :

     

       

    1. http://docs.aws.amazon.com/cli/latest/userguide/installing.html
    2. Detach: http://docs.aws.amazon.com/cli/latest/reference/ec2/detach-volume.html?highlight=detach%20volume
    3. Attach: http://docs.aws.amazon.com/cli/latest/reference/ec2/attach-volume.html?highlight=attach%20volume

     

  2. Follow instructions from here: http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/troubleshooting-windows-instances.html#rdp-issues

     

       

    1. I found I had to disable the keys mentioned in the guide as well as defaultoutboundrule or something as well, which was set at 1 and wouldn't work until I changed to 0. 

     

 

Assuming everything went okay, once you reattach volume 1 to instance 1, everything should be good to go. Now go back to where we were before and setup the firewall rule properly!





Bachelor of Computing Systems (2015)

 

--

 

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland 


8035 posts

Uber Geek

Trusted

  # 1417062 30-Oct-2015 14:54
Send private message

Generally on Linux servers you'd use fail2ban and on Windows servers there are various commercial options (rdpguard, syspeace)

However this free/open source project looks like it will do what you want https://github.com/jjxtra/Windows-IP-Ban-Service but you'd have to extend it to read tomcat logs probably.

 
 
 
 




2976 posts

Uber Geek


  # 1417088 30-Oct-2015 15:24
Send private message

Thanks for that, had a look around it and seems like a good solution.

Had another bunch of these attempts yesterday and today, sat down and gave the firewall another go and got it working as I tried before (but this time I didn't block myself :P ). So far it's only been 1 IP, and they keep trying but all the logs I can see show the connection was dropped properly which is great. 

Thanks for the suggestion tho!




Bachelor of Computing Systems (2015)

 

--

 

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland 


956 posts

Ultimate Geek
Inactive user


  # 1417092 30-Oct-2015 15:32
Send private message

You're probably fighting a losing battle for minimal gain.

These will just be automated bots trying to find vulnerabilities before being exploited

The best way is to just use a tool like Ragnor has already suggested

Filter this topic showing only the reply marked as answer Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01


NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00


New Zealand Rugby Selects AWS-Powered Analytics for Deeper Game Insights
Posted 5-Dec-2019 11:33


IMAGR and Farro bring checkout-less supermarket shopping to New Zealand
Posted 5-Dec-2019 09:07


Wellington Airport becomes first 5G connected airport in the country
Posted 3-Dec-2019 08:42


MetService secures Al Jazeera as a new weather client
Posted 28-Nov-2019 09:40


NZ a top 10 connected nation with stage one of ultra-fast broadband roll-out completed
Posted 24-Nov-2019 14:15


Microsoft Translator understands te reo Māori
Posted 22-Nov-2019 08:46


Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.