What if you no longer had to worry about RDP and MSSQL attacks? What if you could avoid walking your customers through the process of a virtual private network connection? It would make the job of managing and leasing servers simpler and safer.
After enduring years of Windows machines always under attacks there is now a very satisfying solution called the IPMuncher from Advanced Intellect, an experienced Microsoft solution provider. The reason for the development of this application is because amazingly, Microsoft has never provided the solution themselves. They have upgraded the server firewall with each generation and it is a good product, however, it does not have the capability to automatically add firewall rules when the server is under attack. That can only be done by the server administrator manually which is not at all a practical solution. This is where IPMuncher fills in a gaping hole in the design of the Windows firewall, it adds the intelligence to your servers to create the needed firewall rules without any intervention. In addition, IPMuncher can block comment spam or even be used with other third party tools that generate text files or Windows log files that contain IP addresses that you want blocked. I suspect the RDP and MSSQL blocking will be the most popular use and it comes with default rules to handle this need.
It is entirely possible to download, install and protect any given server in just a few minutes, it is just that easy and simple. I just went to IPMuncher.com and clicked on the download button. The program comes with a 21 day free license. I created a folder off the root of the drive at c:/ipmuncher/. Then I extracted the .zip file to that folder and simply double clicked on “ipmuncher.exe”. Nothing could be easier.
IPMuncher installs as a service and has a compact GUI that enables the server administrator to change the default rules for adding a firewall filter. You could install it and forget it knowing IPMuncher is on the job but you will most likely want to configure the email notification and reporting. You may also, depending on how frequently your server is attacked, change the default settings for how long a firewall rule will remain in place.
There is not really a right or wrong value; it is simply that the longer you block an IP the more rules will build up in your firewall. If you find your list of firewall rules is growing to an ungainly length, you can simply shorten the time the rules will be in place. By default they will be on the job for a day before being removed which is a good place to start and you may never feel the need to change it. IPMuncher flawlessly adds and removes each firewall rule. Once you complete your custom configuration, you can just forget about it and let IPMuncher protect your server.
MSSQL Database Protection
IPMuncher came to the rescue again for one of our MSSQL 2008 Servers. We installed it on a small database server that currently has about 25 databases, not a large database machine but it frequently gets attacked via RDP (Remote Desktop Protocol) and MSSQL several times per second which can easily reach thousands of brute force dictionary attacks each day.
Some organizations may wisely have their MSSQL database exposed to their application servers but not to the Internet. This is a luxury that hosting companies cannot always take advantage of. In a perfect world, developers who want to connect directly to the database server with Management Studio or another favorite SQL tool can do so without the complications of an VPN connection or some other password driven firewall configuration.
For MSSQL, this intrusion detector goes a long way to keeping out those pesky attempts to login to the “sa” account. Every MSSQL server administrator that has a database server exposed on the Internet knows how brute force attacks on the database are relentless. This program offers a very affordable and elegant solution to these attacks.
After just a few hours of use, go into your firewall and look at the “Inbound Rules.” You will see the difference this program can make. In the case of this database server, there where about two dozen new firewall rules, each to last for one day.
RDP protection alone makes the program worth every penny. Of course you want to do the obvious and have an unique username, not just leave it the default “Administrator.” Assuming that you created a strong password, the issue is not that you believe someone will break into the server, it is rather the irritation of having your machines use any resources to respond to stupid brute force attempts to access the desktop. Even if you are not protecting SmarterMail and Database servers, every Windows server typically gets hit with thousands of attempts to login each week. Remote desktop protocol is required in most situations and IPMuncher does a excellent job of stopping the attacking IP’s from hammering on your machines. RDP attacks can reach a point that your server might reboot because of memory exhaustion or respond a little slower to your own administrative chores. While you can change the MSSQL and RDP ports to use non-standard ports or require a VPN, none of these solutions is as easy as installing IPMuncher and we like simple and easy solutions whenever possible.
IP Address Lists
This is one of the features that allows you to enhance the protection your machine will gain from IPMuncher. Because IP’s are allocated by country, it makes it possible to block entire countries and this can be very useful. Currently IPMuncher comes populated with a number of IP ranges for some of the larger and more abusive countries such as China, Russia, Korea, etc. When IPMuncher searches a blacklist you have enabled and finds a match it will block that attacking IP right away. It also lets you add your own ranges to one or more blacklist which is a very nice feature that we take advantage of at SecureWebs. If you are curious as which of the five regional IP authorities county might below to Arin has a complete list.
Most of us will let IPMuncher do the blocking but in addition you can manually add to the Windows firewall your own custom rules that are permanent and will dramatically lower your server profile to select parts of the world. Even if you have never added an firewall custom rule you can take a look at a rule that IPMuncher has added as an example. If you allowed only ARIN IP’s to contact your server, for example, you would be reducing your servers exposure to over 2.5 billion IP’s. Most of the attacks on our Washington State located network come from RIPE and APNIC, not from ARIN IP’s. Here is the breakdown of IP’s in use by region.
ARIN 1,700,059,392 (Canada, US, Caribbean and North Atlantic islands)
AFRINIC 850,612,480 (Africa, portions of the Indian Ocean)
APNIC 850,612,480 (Portions of Asia, portions of Oceania)
RIPE 764,735,576 (Europe, the Middle East, Central Asia)
LACNIC 164,664,576 (Latin America, portions of the Caribbean)
In our experience most server attacks come from two large overseas regional holders of IP4 space which is RIPE and APNIC. These two regions includes Asia, Australia, New Zealand, United Kingdom and Europe. If you choose not to expose your server to this part of the world, you could create about 20 rules that would block almost all of APNIC and RIPE or perhaps thirty or more rules for all things not North American. This is not normally an option for mail and web servers but it certainly is for an MSSQL server. Remember, if you permanently block a dedicated database server based on a custom rule that defines a range of IP’s, it does not mean a website that uses a database on that server will not be accessible around the globe. Databases are therefore less problematic to secure than web servers and mail servers because the only question you are asking is who should have access to that database machine. In the hosting business if your customer base is confined to, for example, North America then you can block everyone else. What makes this a simple proposition for SecureWebs is all of our dedicated house servers just do one thing, be it web server hosting, database hosting our email services. So, for example, until we rent a database to someone in Africa, the server will not be available for connection from that area of the globe. IPMuncher will be on duty to make sure IP’s from North America are not allowed to hammer on the server. Again, this strategy would require that you manually add ranges to a custom firewall filter.
If you are not sure where the clients are located you can just leave it up to IPMuncher to take care of it for you. Or you can add to the IPMuncher blacklist so that at the first instance of abuse the IP in question is blocked. You can get an idea of the speed of the application by restarting the service. It is extremely fast to restart and takes only about one second. There is no detectable impact on server performance, which I have to assume means the code is “tight”. I have no expertise in coding but a lifetime of installing and running software so I tend to notice code bloat and this application is only going to speed up your machines and not slow them down.
IPMuncher is a nimble program that will become a favorite of server administrators who have the responsibility to monitor MSSQL database machines, SmarterMail and RDP from Windows Server 2008 and newer. For anyone who has been concerned with hundreds of Windows event viewer notices of attacks, this is an affordable solution that works very well and fills a niche in protecting servers and the network they are hosted on.