Solved

Securing MS Server 2003 against unauthorized login attempts/attack

Posted on 2007-11-15
18
325 Views
Last Modified: 2010-04-20
Hi!
I would like to ask, what I can do against people who try to log in to our server (MS Server 2003) and they do not have the permission - we have many times in our logs messages like this (with many different account names - in the bellow example is 'php', but there are many others, as 'info', 'student', 'admin', etc...):

**********************************
The server was unable to logon the Windows NT account 'php' due to the following error: Logon failure: unknown user name or bad password.  The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
**********************************

it is happens quite often and every second there are several attempts (there are thousands of queries) and I am afraid it takes too much time of our server work...

can it be avoided? how?

thanks!

Peter
0
Comment
Question by:pplan
  • 8
  • 4
  • 2
  • +2
18 Comments
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288695
A good start is to shut down an unnecessary services - this will close ports that are not needed for operation of the server.
0
 
LVL 6

Expert Comment

by:arunexp
ID: 20288719
Is FTP enable for this server if it is not ftp access then could be some attack. if you are not using ftp stop the ftp from the server and stop all unused services
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288745
0
 

Author Comment

by:pplan
ID: 20288788
thanks for your advices - it is certainly attack on our server

We can not stop FTP, as we need this service running on our server

my idea was for example how to limit number of unsuccessful attempts to login to our server from one IP address  - let's say after one IP address makes 3 unsuccessful attempts to login, then this IP address will have to wait for 30 minutes till next time it can try again to log in

is this possible in MS Server 2003 ? or any other idea?

thanks!

Peter
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20288841
For what you're asking, I have to use third party software for that.  You said you need FTP so I suggest getting software to meet the needs your request.


Titan FTP Server is a great selection.  With that, if someone tries to hack in, you can set the number of times they can try.  Afterwards, it will ban that IP address automatically and email you to let you know.  It will log the IP, date, time, and what username/password they attempted to use.


I don't believe Windows has that option.  You will just have to check the Security Events for successful and failure logins.
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288850
That is not possible, have you thought about implementing a firewall?  Also there is a program called Intruder Alert (I believe it is now known as site protector) it will let you know based off the rules you set of unsuccesful attempts and a plethora of other options including what action to take but blocking an IP for a set amount of time is not one.
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288859
just curious what's the cost of Titan FTP?
0
 

Author Comment

by:pplan
ID: 20288946
I will try the FTP program, but it is not attack on FTP - it is attack to log in to our server as admin, I am afraid to get some privileges etc...

we have TINY Firewall, but I do not know how to prevent such actions using Tiny firewall...
(how to prevent unauthorized attempts to login)

0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20288971
does the firewall allow you to specifically allow and deny by IP?  If so you could set up an ACL to allow only the IPs needed for access to the server and Deny all else.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:pplan
ID: 20289001
unfortunately we do not use static IP addresses for our computers, which we use to log into our server, that's why it would be problematic to set static IP address on the firewall to grant the access privilege only to certain IPs...
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20289012
does the firewall allow you to specifically allow and deny by IP?  If so you could set up an ACL to allow only the IPs needed for access to the server and Deny all else.
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20289032
sorry about the double post there...now your IPs are going to change but I'm pretty sure not the whole address, say just the last 2 octets change...

e.g. - 10.10.x.x
0
 
LVL 5

Expert Comment

by:tlbrittain
ID: 20289036
It is possible to allow specific IP ranges but not sure how your firewall works.
0
 

Author Comment

by:pplan
ID: 20289057
it might be good idea! I will try it and let you know, thanks! it might take me few hours, may be the weekend, as I have to find out how to do it in Tiny firewall...
0
 
LVL 6

Expert Comment

by:arunexp
ID: 20289289
Or you can put a rule on your router to allow ftp access only from LAN
0
 
LVL 13

Expert Comment

by:cshepfam
ID: 20289347
here's the prices for Titan FTP Server

http://www.btsoftware.com/products/titan.htm
0
 
LVL 32

Accepted Solution

by:
r-k earned 500 total points
ID: 20294626
The most important thing you can do is to implement an account lockout policy, i.e. if the wrong password is guessed N times in a row, then the account is locked out for M minutes. make N=10 and M=10, and you will foil just about any password guessing attack.
For how to implement this, see e.g.: http://www.visualwin.com/Log-in/lockout-durations.html
I typically set all three values to 10.
There is one exception, the Administrator account cannot be locked out, but if you set a relatively long (say 10 chars or more) password that is not a simple name, phrase or word, you will pretty much assure that no one can guess it for a very long time.
When you check the event logs, the logon type tells you what type of logon was attempted. A type of 8 indicates someone trying to connect to the FTP server.

The above is only one part of the solution. The others include: Firewall, Security patches, disabling unnecessary services, regular monitoring, etc.

I also recommend running a scan on your server with  MBSA:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
and following as many suggestions as reasonable.
0
 
LVL 32

Expert Comment

by:r-k
ID: 20308611
Thanks. The following web page has a description of the various logon type codes:
http://www.windowsecurity.com/articles/Logon-Types.html
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

The 6120xp switches seem to have a bug when you create a fiber port channel when you have a UCS fabric interconnects talking to them.  If you follow the Cisco guide for the UCS, the FC Port channel will never come up and it will say that there are n…
Usually shares are where we want them for our users and we tend to take them for granted. There are times, however, when those shares may disappear causing difficulty for your users. One of the first things to try is searching for files that shou…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now