I’ve setup a logging system on my place to capture various log files from various sources. One of the sources of particular interest is of course my firewall, it is by far the most log-heavy machine in here and getting a clear picture on who is trying to hack what gives me some more strategies to defend myself online.
Graylog is an open-source which excels in grabbing log files together and analyzing them. It works with ElasticSearch, allows for live analysis and can notify you when weird things happen.
The first step was to setup this beast, it is quite a bit complicated to get running. I’m using a TLS termination on my front-end proxy here, which complicates the setup a bit. Also I’m using dual-stack IPv4 and IPv6. After some searching and some tinkering I got it up and running.
I started to gather firewall logs and put an alert on an X amount of blocked packets per minute. The next day I went over to eat with a couple of friends of mine in a restaurant and I heard my phone say “beep”… a message of Graylog arrived telling me that someone was attempting a brute force RDP attack. Nice! We got our first hacker in less than a day 🙂
Still, a lot of dropped packets in a short time is not really a good measure to get an idea on how big this problem really is. So I decided to go a step farther, and I created some input extractors. In the meantime I connected more servers to Graylog which was gathering more and more data.
The extractor I created allowed me to see how popular certain ports are. Telnet (surprise!) is still number 1 up to now. Apparently because it is so darn easy to exploit using brute force password attacks. I am seriously thinking on putting a honeypot on one of my IP addresses 🙂 Other popular ones are MS-SQL Server, SMB, RDP and SSH.
I have a couple of services which are reachable by SSH, 3 of them in fact. One of them is reachable via ssh.my.tld so that’s pretty obvious. Those servers only allow connection using keys, not passwords. But that doesn’t stop hackers from trying. The most funny names you get to see when they try to connect. Human names which look predominantly of Russian origin (eugenia, talita (could also be Spanish), freyna, etc.) or names like “tomcat” and “minecraft”. Kind of weird to think those kind of usernames actually could work!
All in all I’m not surprised. My network is safe and I’m working every day to make it safer. Tools like this don’t prevent others getting in, but they do let you analyse IF, and if so, WHEN and HOW a breach occurred. Obviously I’m not going to invite hackers in and say “bring it on”, because it is not the question if they are going to be able to hack their way in, but when that eventually is going to happen.
If you don’t have a good logging solution in place and you are running your own servers, it is time to invest in doing just that. Make sure you install your updates, keep that firewall on make backups and safeguard your log files.