Monday, May 19, 2008

'taint Lorraine, 'taint Lisa

nor is it Beatrice!

I really try and avoid the role of 'system administrator' at work. It's not my field though the boss stubbornly refuses to believe it. He sees a software developer, ergo he sees a computer expert and all computer experts are expert at everything about computers, right? Uh huh.

Nonetheless, as the only 'computer expert' at work, I'm called upon to do many admin tasks. Thankfully I've managed to keep it simple though I will never understand why the guy who set our network up decided to call the fileshare 'data-drum_2003' (not the real name but syntactically indentical). Since it's the only fileshare everyone uses why not simply call it 'data'? Likewise with the single shared printer in the office. Why not call it 'printer1', thus allowing for the possibility of a second or perhaps even a third printer? But nope, he decided to call it 'KyoceraM'. From which you could guess that it's a Kyocera printer. Well and good but there's a reason Windows allows arbitrary names. And the reason isn't to be obscure!

As I say, I try to keep it simple. I could change the share name or the printer name but then I'd have to update everyones computers. And users being users I could email them about the change with complete confidence that I was wasting my time and theirs. So we live with it.

Recently, as I wrote[^] a couple of weeks ago, I had to change our source code server. That server also happened to be our FTP server. Fortunately we don't have a lot of FTP activity going on and it was, frankly, far more important to me that I get our source code and history migrated than to get FTP services going again.

Having finally got the new subversion server set up and convinced myself that all the old sourcesafe history was still, well, safe, it was time to put the new machine on the public side of the network. Fortunately it's a Windows 2003 server machine with all the latest patches applied and it seems to be pretty well secured. Now go read the second paragraph of this entry. I'm NOT a network administrator (some would say I'm not a network administrators arsehole and they'd be right) but I've done what I know. I've run port scans against the public internet address and the only ports it finds open are the ports I expect (FTP, HTTPS and Remote Desktop).

I'm sure you've heard anecdotally what happens to a new machine exposed on the internet. One of the stats I've seen (whether I believe it is another matter) is that an unpatched Windows XP SP1 machine is supposedly completely compromised within 20 minutes of first exposure. Considering that it takes at least an hour, even on broadband, to download and install all the patches, you can see the problem. Thus daily malware, trojan horse, virus and rootkit scans on my new server.

On the inside I check the logs daily (though how long I'll do that is another matter). So far the only log showing any activity is the FTP log. Fascinating stuff. There's one persistent bastard, based in Japan going by the whois results on his IP, who's been trying for about 2 days to break in. His attempts are neither regular or fast enough to indicate a software based attack; he seems to be sitting at his computer typing password after password. Poor bastard will never succeed until he realises that I've renamed the system admin account AND the FTP user name list does not include Administrator. I reckon he must have a dictionary of western girls names because that's what he's been trying.

USER Administrator
PASS Lorraine
530 Login or password incorrect!
Disconnected

USER Administrator
PASS Lisa
530 Login or password incorrect!
Disconnected


I almost feel sorry for the poor bastard. But only almost; I've turned on autoban - 10 failed attempts and the IP is ignored for an hour. We shall see if he returns.

1 comment:

Vadim Tabakman on MS said...

Hey Rob,
Vadim here. Still remember me? Back from the good old days of CF.

It's good to see your are still geeking it up. You were always good the computer. I'm doing the same, but atleast I'm really trying hard to stay clear of admin.

Anyway, send me an email (jubprawn@hotmail.com). It's been too long buddy.

cheers,
Vadim