WWW.Smythies.com Security Notes: 2002:10:08 Updated 2010.01.23

 

This site is intended to be safe for all, particularly children [actually, my children are grown up now, but I still want a safe site]. Please notify me, and whomever else you might deem appropriate, immediately of any objectionable material so that the site can be shut down and checked for a security breach.

 

I do watch all of my security related logs closely. In the last few years hacker related traffic has decreased dramatically.

 

I have been logging unsolicited internet probes, searches, scans, and hacking attempts since my emergency amateur radio interconnect router at hera.rfnet.sfu.ca was hacked into at 7:00 A.M. January 9^th 1999 (local time). Internet activity that I place in the "suspicious" category was increasing exponentially for several years thereafter (I don't know if at a greater or lesser rate than internet use overall). Even experts in the field of internet security have expressed their concern as to the complexity of the issues. The experts do suggest that one keep the details of a site (I.E. which Operating System, web server, host computer, ...) secret because that knowledge just helps the hackers. However, I prefer to make my network configuration as public as possible. Maybe, and hopefully, someone can learn something.

 

I do have only port 80 (www) and the SSH (secure shell) port open. Telnet, ftp, and all those are normally closed (I do enable FTP sometimes). Currently, the IP address is not shared. I.E. there is no LAN on the other side of 209.121.28.192. However, the firewall is enabled and is filtering IP addresses. In particular, secure shell password attacks are identified and the source IP address is blocked in real time. By far, most of the traffic on www.smythies.com is web crawler (robot) related.

 

Every packet to/from this site is temporarily logged. Log files obtained during what later turns out to have been a security related event might be saved indefinitely.

 

On September 13^th 2002, this site was penetrated by the Apache/mod-ssl worm. A viscous denial of service attack resulted. It was a matter of hours before I discovered it and disconnected the machine. I had to keep the server off line for several days due to saturation of my adsl internet link with UDP packets on port 2002. Even with my firewall set to disable all port 2002 traffic both to and from smythies.com, my site was saturated with IP packets for port 2002. In the 5 hours that the bugtraq.c program was running on my server, smythies.com had probed 283,648 other sites for the apache/mod-ssl worm (also known as the "linux slapper worm") (see Cert advisory: http://www.cert.org/advisories/CA-2002-27.html )(see Red Hat: http://www.redhat.com/support/alerts/linux_slapper_worm.html ) . If you are one of the sites my server probed, then sorry. Every hour, much less probing was done as traffic increased for the Distributed Denial of Service Attack on port 2002. By the end of the 5 hours, when I accidently discovered that the system had been compromised, there was almost no outgoing probing traffic. On September 13^th, and a full day before the first notice of this worm was posted on CERT, I notified my ISP (Internet Service Provider) that I had an ongoing active DOS (Denial Of Service) attack against smythies.com. After about a week the rate of UDP port 22 packets to smythies.com was down to about 5 packets per minute.