Solved

Securing MS Server 2003 against unauthorized login attempts/attack

Posted on 2007-11-15
18
338 Views
Last Modified: 2010-04-20
Hi!
I would like to ask, what I can do against people who try to log in to our server (MS Server 2003) and they do not have the permission - we have many times in our logs messages like this (with many different account names - in the bellow example is 'php', but there are many others, as 'info', 'student', 'admin', etc...):

**********************************
The server was unable to logon the Windows NT account 'php' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**********************************

it is happens quite often and every second there are several attempts (there are thousands of queries) and I am afraid it takes too much time of our server work...

can it be avoided? how?

thanks!

Peter
0
Comment
Question by:pplan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 2
  • +2
18 Comments
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288695
A good start is to shut down an unnecessary services - this will close ports that are not needed for operation of the server.
0
 
LVL 6

Expert Comment

by:arunexp
ID: 20288719
Is FTP enable for this server if it is not ftp access then could be some attack. if you are not using ftp stop the ftp from the server and stop all unused services
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288745
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:pplan
ID: 20288788
thanks for your advices - it is certainly attack on our server

We can not stop FTP, as we need this service running on our server

my idea was for example how to limit number of unsuccessful attempts to login to our server from one IP address  - let's say after one IP address makes 3 unsuccessful attempts to login, then this IP address will have to wait for 30 minutes till next time it can try again to log in

is this possible in MS Server 2003 ? or any other idea?

thanks!

Peter
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20288841
For what you're asking, I have to use third party software for that.  You said you need FTP so I suggest getting software to meet the needs your request.


Titan FTP Server is a great selection.  With that, if someone tries to hack in, you can set the number of times they can try.  Afterwards, it will ban that IP address automatically and email you to let you know.  It will log the IP, date, time, and what username/password they attempted to use.


I don't believe Windows has that option.  You will just have to check the Security Events for successful and failure logins.
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288850
That is not possible, have you thought about implementing a firewall?  Also there is a program called Intruder Alert (I believe it is now known as site protector) it will let you know based off the rules you set of unsuccesful attempts and a plethora of other options including what action to take but blocking an IP for a set amount of time is not one.
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288859
just curious what's the cost of Titan FTP?
0
 

Author Comment

by:pplan
ID: 20288946
I will try the FTP program, but it is not attack on FTP - it is attack to log in to our server as admin, I am afraid to get some privileges etc...

we have TINY Firewall, but I do not know how to prevent such actions using Tiny firewall...
(how to prevent unauthorized attempts to login)

0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288971
does the firewall allow you to specifically allow and deny by IP?  If so you could set up an ACL to allow only the IPs needed for access to the server and Deny all else.
0
 

Author Comment

by:pplan
ID: 20289001
unfortunately we do not use static IP addresses for our computers, which we use to log into our server, that's why it would be problematic to set static IP address on the firewall to grant the access privilege only to certain IPs...
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20289012
does the firewall allow you to specifically allow and deny by IP?  If so you could set up an ACL to allow only the IPs needed for access to the server and Deny all else.
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20289032
sorry about the double post there...now your IPs are going to change but I'm pretty sure not the whole address, say just the last 2 octets change...

e.g. - 10.10.x.x
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20289036
It is possible to allow specific IP ranges but not sure how your firewall works.
0
 

Author Comment

by:pplan
ID: 20289057
it might be good idea! I will try it and let you know, thanks! it might take me few hours, may be the weekend, as I have to find out how to do it in Tiny firewall...
0
 
LVL 6

Expert Comment

by:arunexp
ID: 20289289
Or you can put a rule on your router to allow ftp access only from LAN
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20289347
here's the prices for Titan FTP Server

http://www.btsoftware.com/products/titan.htm
0
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 20294626
The most important thing you can do is to implement an account lockout policy, i.e. if the wrong password is guessed N times in a row, then the account is locked out for M minutes. make N=10 and M=10, and you will foil just about any password guessing attack.
For how to implement this, see e.g.: http://www.visualwin.com/Log-in/lockout-durations.html
I typically set all three values to 10.
There is one exception, the Administrator account cannot be locked out, but if you set a relatively long (say 10 chars or more) password that is not a simple name, phrase or word, you will pretty much assure that no one can guess it for a very long time.
When you check the event logs, the logon type tells you what type of logon was attempted. A type of 8 indicates someone trying to connect to the FTP server.

The above is only one part of the solution. The others include: Firewall, Security patches, disabling unnecessary services, regular monitoring, etc.

I also recommend running a scan on your server with  MBSA:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
and following as many suggestions as reasonable.
0
 
LVL 32

Expert Comment

by:r-k
ID: 20308611
Thanks. The following web page has a description of the various logon type codes:
http://www.windowsecurity.com/articles/Logon-Types.html
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
More or less everybody in the IT market understands the basics of Networking, however when we start talking about Storage Networks, things get a bit dizzier, and this is where I would like to help.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question