Jump to content

login attacks - need advice

Guest cactuscrust

By Guest cactuscrust
in Windows 2003 Server

 Share

Recommended Posts

Guest cactuscrust

Guest cactuscrust

Posted
Posted

I've got a problem with server security... and I know little on the

subject and could use some advice.

 

Recently my server (Windows 2003, running IIS6) has been the victim of

massive login attacks... by that I mean they event viewer shows a

massive number of failed login attempts, often thousands at a time! Here

is an example of one of those events:

 

Logon Failure:

Reason: Unknown user name or bad password

User Name: Admin

Domain: AXXXXXX

Logon Type: 8

Logon Process: IIS

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: BXXXXXX

Caller User Name: BXXXXXX$

Caller Domain: AXXXXXX

Caller Logon ID: (0x0,0x3E7)

Caller Process ID: 1812

Transited Services: -

Source Network Address: -

Source Port: -

 

The user 'Admin' does not exist on my system, the user 'adam' (also

non-existant) was tried about thousand times before this one. My guess

is that whatever is attacking my server is just going through the

alphabet trying to find a user/password combination to get into the

server. However, I have no idea what to do about it. I don't even know

where it's coming from, as the event viewer doesn't show the ip address

of the source (which it usually does). Are there other logs that I could

look into that might give me more information? Are there ways to

automatically block sources that make too many failed login attempts? Is

there anything at all that I can do to fight this? I'm afraid they'll

eventually get in (if they haven't already), and even if they don't get

it... the barrage of login attempts is really slowing down my server.

Any advice would be appreciated.

 

 

--

cactuscrust

------------------------------------------------------------------------

cactuscrust's Profile: http://forums.techarena.in/members/cactuscrust.htm

View this thread: http://forums.techarena.in/windows-server-help/1016603.htm

 

http://forums.techarena.in

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Anthony [MVP]

Guest Anthony [MVP]

Posted
Posted

Re: login attacks - need advice

 

If you put a server on the web and allow inbound connections this is normal.

To block inbound connection, or allow some and not others, you need to use a

firewall. A firewall can be a filter on your internet connection; a specific

hardware device; or a software firewall on the server (for very basic

needs). It all depends what you are trying to do.

Anthony,

http://www.airdesk.com

 

 

"cactuscrust" <cactuscrust.3dsvfb@DoNotSpam.com> wrote in message

news:cactuscrust.3dsvfb@DoNotSpam.com...

>

> I've got a problem with server security... and I know little on the

> subject and could use some advice.

>

> Recently my server (Windows 2003, running IIS6) has been the victim of

> massive login attacks... by that I mean they event viewer shows a

> massive number of failed login attempts, often thousands at a time! Here

> is an example of one of those events:

>

> Logon Failure:

> Reason: Unknown user name or bad password

> User Name: Admin

> Domain: AXXXXXX

> Logon Type: 8

> Logon Process: IIS

> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

> Workstation Name: BXXXXXX

> Caller User Name: BXXXXXX$

> Caller Domain: AXXXXXX

> Caller Logon ID: (0x0,0x3E7)

> Caller Process ID: 1812

> Transited Services: -

> Source Network Address: -

> Source Port: -

>

> The user 'Admin' does not exist on my system, the user 'adam' (also

> non-existant) was tried about thousand times before this one. My guess

> is that whatever is attacking my server is just going through the

> alphabet trying to find a user/password combination to get into the

> server. However, I have no idea what to do about it. I don't even know

> where it's coming from, as the event viewer doesn't show the ip address

> of the source (which it usually does). Are there other logs that I could

> look into that might give me more information? Are there ways to

> automatically block sources that make too many failed login attempts? Is

> there anything at all that I can do to fight this? I'm afraid they'll

> eventually get in (if they haven't already), and even if they don't get

> it... the barrage of login attempts is really slowing down my server.

> Any advice would be appreciated.

>

>

> --

> cactuscrust

> ------------------------------------------------------------------------

> cactuscrust's Profile: http://forums.techarena.in/members/cactuscrust.htm

> View this thread:

> http://forums.techarena.in/windows-server-help/1016603.htm

>

> http://forums.techarena.in

>

Guest cactuscrust

Guest cactuscrust

Posted
Posted

Re: login attacks - need advice

 

 

thanks for the reply. I've known for a while now that I really should

have a firewall going on my server. I really didn't set this server up,

and the guy before wasn't really security minded, but that's beside the

point.

I understand that I can set a firewall to block all the ports except

the ones I need, but how do I know which one's those are? Also, I

imagine that if I wanted to block the connection that's attempting to

break in to my server, I'd have to do that by ip address... the only

problem is I don't know the ip address of where these attacks originate.

Is there a way I can find out?

 

 

--

cactuscrust

------------------------------------------------------------------------

cactuscrust's Profile: http://forums.techarena.in/members/cactuscrust.htm

View this thread: http://forums.techarena.in/windows-server-help/1016603.htm

 

http://forums.techarena.in

Guest Anthony [MVP]

Guest Anthony [MVP]

Posted
Posted

Re: login attacks - need advice

 

Your inbound ports are generally well known services like http, imap, smtp

etc.

If you want them to be secure then you run them with SSL, i.e. https, imaps

and smtp -tls.

You don't need to block addresses and it would not work anyway,

Anthony,

http://www.airdesk.com

 

 

 

"cactuscrust" <cactuscrust.3du9fe@DoNotSpam.com> wrote in message

news:cactuscrust.3du9fe@DoNotSpam.com...

>

> thanks for the reply. I've known for a while now that I really should

> have a firewall going on my server. I really didn't set this server up,

> and the guy before wasn't really security minded, but that's beside the

> point.

> I understand that I can set a firewall to block all the ports except

> the ones I need, but how do I know which one's those are? Also, I

> imagine that if I wanted to block the connection that's attempting to

> break in to my server, I'd have to do that by ip address... the only

> problem is I don't know the ip address of where these attacks originate.

> Is there a way I can find out?

>

>

> --

> cactuscrust

> ------------------------------------------------------------------------

> cactuscrust's Profile: http://forums.techarena.in/members/cactuscrust.htm

> View this thread:

> http://forums.techarena.in/windows-server-help/1016603.htm

>

> http://forums.techarena.in

>

 Share
Go to topic listing
×
×
  • Create New...