TCAdmin Security Suggestion

[JasonF]

This is just my opinion, but I would recommend people:

 

(1) Create a new account with admin priviledges, make the password very hard to guess as ECF suggested. Then make sure your user ADMIN does not own any game or voice servers. After that disable the ADMIN account. Also update your billing software to reflect the new admin account for automatted setups

 

This will basically make a person guess the user and password to gain access. With the admin account active, all they need to do is guess the password.

 

(2) Update your TCAdmin installs for the new Security plugin that allows permanent IP banning.

 

(3) Everyone should look in their TCAdmin Control Panel\Logs folder at the following 2 files:

 

Web.Login.txt

FTP.Login.txt

 

Look for any suspicious logins, etc.

 

(4) Restrict .asd files from being uploaded in both the file manager and ftp server

 

(5) Limit the admin and subadmins to specific IP addresses.

[studeggle]

Can you safely disable the admin account? I would love to do this, I have always used hard passwords with all types of characters and considerable length, but felt I was stuck with admin as the main administrator for TcAdmin.

[JasonF]

I have disabled mine with no issues. The hacker that has gained access to a few people's servers is using the admin account to gain access. By disabling it, the idiot needs to guess a user and password.

 

If anyone has questions please email me through the forums.

[ECF]

There is a new upadate availible. Please update.

[JasonF]

Included the information in the first post to keep things organized

[swish]

I suppose the only downside to not using the ADMIN account is you wouldn't see the messages form tcadmin correct?

[JasonF]

It does not show on the admin home page. If you click on News it shows it there for all admins.

[JasonF]

Bump

[Brandon]

Here's a suggestion, email everyone so they can check their systems. I only found out from another GSP who asked if I was affected. Otherwise I still wouldn't know.

 

I'm not talking about through tcadmin either, as our mail server setting was changed by this person.

[ECF]

I posted a message in the announcement section about it. We will be sending an email out to all clients but we are collecting more information on this before we do.

[Brandon]

Well I'm sorry I don't look at tcadmin forum everyday. Who knows what further damage could have been done. At the very least you should send out an email for people to look at that post.

[ECF]

At this point Brandon, we are not 100% sure that the person is getting in via our software. So to send out an email with incorrect information would not help the situation.

 

Once we have collected all the information, and if it truly is an exploit in our software then the email will go out with all information that we have availible to us at the time.

[DougK94]

I have not been able to find how he got in, been scouring all the TCA logs, IIS logs, event logs. In talking to another who has been effected, we are wondering what all similarities there are in the setups, but I do not really want to discuss that info in a public forum.

 

The person who has been hitting people, I have researched a little bit. He appears to be a script kiddie, and does not appear to have the skills to develop any tools. I have found numerous posts in different hacker forums claiming to have written something, and others have shot him down showing where the script originated. I have not found anywhere yet where anyone is claiming of any TCA exploits.

[ECF]

Luis has just pushed out another update which further reinforces the security plugin. It allows you to set admin IPs which are the only ones that can access an admin account within TCA.

[Brandon]

In talking to another who has been effected, we are wondering what all similarities there are in the setups, but I do not really want to discuss that info in a public forum.

 

Tcadmin perhaps?

 

Regardless if I wasn't informed by another GSP using TCADMIN then I still would not know that anything had happened. It would be in everyone's best interest if a simple precaution email was sent out so they can prevent further damages EVEN IF the source isn't Tcadmin.

[studeggle]

Luis has just pushed out another update which further reinforces the security plugin. It allows you to set admin IPs which are the only ones that can access an admin account within TCA.

 

Question on the admin IP feature. Can wild cards be used, I have some admins that have very fluctuating IPs and entering about 60 IPs to ensure there acess would be a pain, but I would love to restrict it to a batch of IPs with a wild card.

[Brandon]

Yes.

[DougK94]

Tcadmin perhaps?

 

Regardless if I wasn't informed by another GSP using TCADMIN then I still would not know that anything had happened. It would be in everyone's best interest if a simple precaution email was sent out so they can prevent further damages EVEN IF the source isn't Tcadmin.

 

We know TCAdmin is a common denominator, but wondering about other things.

 

NOTE: I found referer links from these forums and the dedicated.php page from this IP that has hit us. Also numerous google hits from the TCA version number displayed on the bottom of the TCA contol page.

[Brandon]

Well I won't discuss further here. All I am saying is that since there is a chance that others may be affected they should be informed. Just point them to that post or tell them what to look for and where. If they weren't affected then great, if so then you have more evidence to make your case.

[DougK94]

I agree, and I know Luis has been working his butt off, along with many other admins trying to see how this guy got in.

[HIS-MOTHER]

Funny stuff here now that we get alerts..

 

The IP 60.191.220.143 has been temporarily banned for 15 minutes.

Last login details:

UserId: Administrator

Password: 123456

 

LOL

 

The only wierd thing is that it got banned 3 times all 3 minutes apart. If that ip was banned how did it keep attempting to login?

[Brandon]

Yeah we have tons of alerts coming in now.. Wow. And I'm not messing around - 5 attempts and permanent ban. If a customer gets banned they can contact us. Otherwise it looks like we may have a pretty large ban list fairly soon.

[DougK94]

I think that is one of the best new features since TCAdmin has been released. Thanks Luis for you hard work.

[TheHeartSmasher]

Can a password policy be setup for certain accounts/groups? So after x amount of days the user has to reset their password and it has to be a strong password with special characters. Then have certain accounts excluded if needed?

[JasonF]

If you login under an admin account, you DO see the news from TCAdmin on the bottom.

 

I also updated my 1st post to include more information