Solved

Securing MS Server 2003 against unauthorized login attempts/attack

Posted on 2007-11-15
18
335 Views
Last Modified: 2010-04-20
Hi!
I would like to ask, what I can do against people who try to log in to our server (MS Server 2003) and they do not have the permission - we have many times in our logs messages like this (with many different account names - in the bellow example is 'php', but there are many others, as 'info', 'student', 'admin', etc...):

**********************************
The server was unable to logon the Windows NT account 'php' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**********************************

it is happens quite often and every second there are several attempts (there are thousands of queries) and I am afraid it takes too much time of our server work...

can it be avoided? how?

thanks!

Peter
0
Comment
Question by:pplan
  • 8
  • 4
  • 2
  • +2
18 Comments
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288695
A good start is to shut down an unnecessary services - this will close ports that are not needed for operation of the server.
0
 
LVL 6

Expert Comment

by:arunexp
ID: 20288719
Is FTP enable for this server if it is not ftp access then could be some attack. if you are not using ftp stop the ftp from the server and stop all unused services
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288745
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:pplan
ID: 20288788
thanks for your advices - it is certainly attack on our server

We can not stop FTP, as we need this service running on our server

my idea was for example how to limit number of unsuccessful attempts to login to our server from one IP address  - let's say after one IP address makes 3 unsuccessful attempts to login, then this IP address will have to wait for 30 minutes till next time it can try again to log in

is this possible in MS Server 2003 ? or any other idea?

thanks!

Peter
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20288841
For what you're asking, I have to use third party software for that.  You said you need FTP so I suggest getting software to meet the needs your request.


Titan FTP Server is a great selection.  With that, if someone tries to hack in, you can set the number of times they can try.  Afterwards, it will ban that IP address automatically and email you to let you know.  It will log the IP, date, time, and what username/password they attempted to use.


I don't believe Windows has that option.  You will just have to check the Security Events for successful and failure logins.
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288850
That is not possible, have you thought about implementing a firewall?  Also there is a program called Intruder Alert (I believe it is now known as site protector) it will let you know based off the rules you set of unsuccesful attempts and a plethora of other options including what action to take but blocking an IP for a set amount of time is not one.
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288859
just curious what's the cost of Titan FTP?
0
 

Author Comment

by:pplan
ID: 20288946
I will try the FTP program, but it is not attack on FTP - it is attack to log in to our server as admin, I am afraid to get some privileges etc...

we have TINY Firewall, but I do not know how to prevent such actions using Tiny firewall...
(how to prevent unauthorized attempts to login)

0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288971
does the firewall allow you to specifically allow and deny by IP?  If so you could set up an ACL to allow only the IPs needed for access to the server and Deny all else.
0
 

Author Comment

by:pplan
ID: 20289001
unfortunately we do not use static IP addresses for our computers, which we use to log into our server, that's why it would be problematic to set static IP address on the firewall to grant the access privilege only to certain IPs...
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20289012
does the firewall allow you to specifically allow and deny by IP?  If so you could set up an ACL to allow only the IPs needed for access to the server and Deny all else.
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20289032
sorry about the double post there...now your IPs are going to change but I'm pretty sure not the whole address, say just the last 2 octets change...

e.g. - 10.10.x.x
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20289036
It is possible to allow specific IP ranges but not sure how your firewall works.
0
 

Author Comment

by:pplan
ID: 20289057
it might be good idea! I will try it and let you know, thanks! it might take me few hours, may be the weekend, as I have to find out how to do it in Tiny firewall...
0
 
LVL 6

Expert Comment

by:arunexp
ID: 20289289
Or you can put a rule on your router to allow ftp access only from LAN
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20289347
here's the prices for Titan FTP Server

http://www.btsoftware.com/products/titan.htm
0
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 20294626
The most important thing you can do is to implement an account lockout policy, i.e. if the wrong password is guessed N times in a row, then the account is locked out for M minutes. make N=10 and M=10, and you will foil just about any password guessing attack.
For how to implement this, see e.g.: http://www.visualwin.com/Log-in/lockout-durations.html
I typically set all three values to 10.
There is one exception, the Administrator account cannot be locked out, but if you set a relatively long (say 10 chars or more) password that is not a simple name, phrase or word, you will pretty much assure that no one can guess it for a very long time.
When you check the event logs, the logon type tells you what type of logon was attempted. A type of 8 indicates someone trying to connect to the FTP server.

The above is only one part of the solution. The others include: Firewall, Security patches, disabling unnecessary services, regular monitoring, etc.

I also recommend running a scan on your server with  MBSA:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
and following as many suggestions as reasonable.
0
 
LVL 32

Expert Comment

by:r-k
ID: 20308611
Thanks. The following web page has a description of the various logon type codes:
http://www.windowsecurity.com/articles/Logon-Types.html
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Know what services you can and cannot, should and should not combine on your server.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question