FAO Pete
- Thread starter sparkes
- Start date
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Hi,
We have several servers behind a load balancer. The main site is Netscape on Unix but we are increasingly using IIS.
Our fraud department has allways had problems identifying machine ids of people hitting us. We drop cookies on them but it doesn't take much for the dodgy people to delete them.
We do have a DOM walking java script that gets run at each page, could we use that?
We have several servers behind a load balancer. The main site is Netscape on Unix but we are increasingly using IIS.
Our fraud department has allways had problems identifying machine ids of people hitting us. We drop cookies on them but it doesn't take much for the dodgy people to delete them.
We do have a DOM walking java script that gets run at each page, could we use that?
Both IIS and Linux/UNIX have the ability to log every connection and what they try to do.
Sample to follow............
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0
2004-12-09 17:55:17 10.0.0.254 GET /exchweb/img/pg-prev.gif - 80 - 10.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0
2004-12-09 17:55:17 10.0.0.254 GET /exchweb/img/pg-next.gif - 80 - 10.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0
2004-12-09 17:55:19 10.0.0.254 GET /exchweb/img/pg-last.gif - 80 - 10.0.0.1
this is Date - Time - server IP - Command used and on what - and the originator IP address
This is true for all web servers I have seen. Once you have the address you can tell the server to block that IP address. In IIS this is under security on the properties of the server.
Better still, create a rule on the firewall to block the IP and log it there.
Steve
Sample to follow............
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0
2004-12-09 17:55:17 10.0.0.254 GET /exchweb/img/pg-prev.gif - 80 - 10.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0
2004-12-09 17:55:17 10.0.0.254 GET /exchweb/img/pg-next.gif - 80 - 10.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0
2004-12-09 17:55:19 10.0.0.254 GET /exchweb/img/pg-last.gif - 80 - 10.0.0.1
this is Date - Time - server IP - Command used and on what - and the originator IP address
This is true for all web servers I have seen. Once you have the address you can tell the server to block that IP address. In IIS this is under security on the properties of the server.
Better still, create a rule on the firewall to block the IP and log it there.
Steve
Here is the log from my own server showing Yahoo trying to index my server for its search engineBoth IIS and Linux/UNIX have the ability to log every connection and what they try to do.
Sample to follow............
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0
2004-12-09 17:55:17 10.0.0.254 GET /exchweb/img/pg-prev.gif - 80 - 10.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0
2004-12-09 17:55:17 10.0.0.254 GET /exchweb/img/pg-next.gif - 80 - 10.0.0.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322) 200 0 0
2004-12-09 17:55:19 10.0.0.254 GET /exchweb/img/pg-last.gif - 80 - 10.0.0.1
this is Date - Time - server IP - Command used and on what - and the originator IP address
This is true for all web servers I have seen. Once you have the address you can tell the server to block that IP address. In IIS this is under security on the properties of the server.
Better still, create a rule on the firewall to block the IP and log it there.
Steve
................................................................
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2005-02-01 06:34:24
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2005-02-01 06:34:24 10.0.0.253 GET /robots.txt - 80 - 66.196.90.211 Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) 404 0 2
2005-02-01 06:34:28 10.0.0.253 GET /Lists/caravan/MyItems.aspx - 80 - 66.196.90.251 Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) 404 0 0
........................................................
The problem with that is the IP addresses returned are not always the machine. This can be inocently masked by natting.
You can also easily spoof the IP address.
The only way we can get a handle on the machine being used is by a long term cookie.
We do use the web server logs coupled with the results of the DOM walking but we can't catch IP, it's been baffling us for a couple of years now.
Thanks for your help.
You can also easily spoof the IP address.
The only way we can get a handle on the machine being used is by a long term cookie.
We do use the web server logs coupled with the results of the DOM walking but we can't catch IP, it's been baffling us for a couple of years now.
Thanks for your help.
Pete
do a reverse lookup on the IP address. Then send a complaint and the log to the ISP.
If it is in the private range of 192, or 10 or 172 then your people should have blocked that from external anyway.
What I have done for customers is to script the log file and do an instant block on the IP for 1min via the IIS Ip blocking capability. What this does is switch off the attack and then re-enable it for valid users.
The only other choice is to front end the IIS servers in a DMZ and put all the processing inside the firewall. that way you can control what commands can be run and when. Even if someone tried to hack, they are doing it at the wrong place
Steve
do a reverse lookup on the IP address. Then send a complaint and the log to the ISP.
If it is in the private range of 192, or 10 or 172 then your people should have blocked that from external anyway.
What I have done for customers is to script the log file and do an instant block on the IP for 1min via the IIS Ip blocking capability. What this does is switch off the attack and then re-enable it for valid users.
The only other choice is to front end the IIS servers in a DMZ and put all the processing inside the firewall. that way you can control what commands can be run and when. Even if someone tried to hack, they are doing it at the wrong place
Steve
it's not the hackers we're after, we have a security team keeping tabs on them. We do have a DMZ with two sets of FWs at the front, one set behind and all the computers in the private net zoned off with even more FW's. Even then all PCs have personal FWs running.
What we're trying to catch is the identity thiefs so we want to watch for different account log ons from the same PC. We don't want to punish them (yet) we want to gather evidence.
What we're trying to catch is the identity thiefs so we want to watch for different account log ons from the same PC. We don't want to punish them (yet) we want to gather evidence.
Yes, we have the account name date and all the action they took. We even know the screen size and how long they take to look at each page (amongst many other things).
OK looks like you have covered all the bases.
Only 3 suggestions come to mind.
1, use SSL Client / server certificates.
2, run a script against both logs looking for IP addresses that access more than one account and write it to a second log for look at later.
3, and this is probably the best, but also a costly one. Write a front end to the application that the user has to load to access it. I use one like this to check illegal files on game players machines while playing MOHAA. Now in the code for this, collect the MAC address of the posting machine. and send this in the application server. this will identify the same machine every time.
Unfortunatly, Mac's cannot be accessed over the net unless you do it at the PC as switches, routers etc will only see the ARP call
Only 3 suggestions come to mind.
1, use SSL Client / server certificates.
2, run a script against both logs looking for IP addresses that access more than one account and write it to a second log for look at later.
3, and this is probably the best, but also a costly one. Write a front end to the application that the user has to load to access it. I use one like this to check illegal files on game players machines while playing MOHAA. Now in the code for this, collect the MAC address of the posting machine. and send this in the application server. this will identify the same machine every time.
Unfortunatly, Mac's cannot be accessed over the net unless you do it at the PC as switches, routers etc will only see the ARP call
Hmmm,
The certs are session based.
The log file method doesn't get around the natting etc.
Our front end is browser.
looks like we're snookered then :-(
I can't go into what the company is as security would go mad after divulging some of our securty features. But we have to be browser only (along with java/javascript).
Thanks for your time with this.
The certs are session based.
The log file method doesn't get around the natting etc.
Our front end is browser.
looks like we're snookered then :-(
I can't go into what the company is as security would go mad after divulging some of our securty features. But we have to be browser only (along with java/javascript).
Thanks for your time with this.
I presumed you have looked into persistent certificates at the machine level.
If its any help, IIS 6 will soon be modifiable to accept personal certification that is persistent to the user and removes the whole server/client session certs.
If it gets desperate, give me a shout and I will put you in touch with someone whole could help you into early adoption before it is released
Steve
If its any help, IIS 6 will soon be modifiable to accept personal certification that is persistent to the user and removes the whole server/client session certs.
If it gets desperate, give me a shout and I will put you in touch with someone whole could help you into early adoption before it is released
Steve
Practical Caravan is part of Future plc, an international media group and leading digital publisher. Visit our corporate site.
© Future Publishing Limited Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885.
Facebook
Twitter