asked on I want to be able to block Any IP Address on Any Port where someone tries unsuccessfully to login
Currently, at least 5 times a week for about 8 hours, my server is being pounded with login attempts that fail. The thing is that the logins are all from IP addresses in China (from which I have no users) and they are all generic names like "Sally" or "John" with failed passwords.
Sure, they haven't gotten in to my server yet, but it has to be slowing down my server. Just the time it takes to write the number of events that have occured in the event logs is going to slow down my server.
So, I want to be able to completely ignore any traffic on any port from any IP address from which more than one invalid user name attempts to login.Is this a hardware thing or is there software to handle this? Or does such a thing exist?
Any help would be greatly appreciated. This is really important that I get this handled immediately.
Jase
Sure, they haven't gotten in to my server yet, but it has to be slowing down my server. Just the time it takes to write the number of events that have occured in the event logs is going to slow down my server.
So, I want to be able to completely ignore any traffic on any port from any IP address from which more than one invalid user name attempts to login.Is this a hardware thing or is there software to handle this? Or does such a thing exist?
Any help would be greatly appreciated. This is really important that I get this handled immediately.
Jase
SBSVulnerabilitiesServer Hardware
Last Comment
mpfticom
Do you allow logins to your server from outside the company? Do you have a firewall? Is this through terminal services? If you dont' allow people to login to your servers from outside of the company then you can block the ports and or IP at the firewall.
ASKER
I have a firewall built in to my DSL modem and the SBS is supposed to have a firewall as well.
To answer your question, "Yes", I have several users that have to login remotely using VPN, RDP, HTTP, FTP, SMTP, POP, etc.
I am just blown away that everyone's answer to this kind of thing is to cripple themselves to avoid attack. I mean, why is it an acceptable solution to block my ports to avoid attack, why can't I block IP addresses? Isn't there a piece of software or hardware that looks at the incoming IP address on ANY port and denies drops the packets? I am sure that there is.
Next, all I need is a piece of software that says, two failed login attemtps from the same ip using different usernames that are not valid, add the source ip to the list of blocked IP addresses.
This seems like the kind of thing that should have been handled when the first TCPIP stack was written.
Currently the range of attacks that I have been receiving are from Port 25, Port 443, and Port 21. I am sure that it is a matter of time before they try every port available. And since it is coming from at most 4 ip addresses, why can't I stop them? I'm thinking about hiring a hacker to reverse the attack since apparently there is no legal recourse.
I suggested to my service provider that if someone were trying to steal my phone service, the phone company would press charges. If someone were trying to steal my electricity, they electrical company would do something about it. With any service I receive, if someone is trying to use it without my permission, the service provider does something about it...but not with internet service. What a racket!
So, I told my service provider that I would start port-forwarding all of the traffic I have been getting to their servers until it shut down their servers and they responded by saying, "oh, if you did that, we would block all traffic from your IP address". In other words, they have the technology to block their own customers but not to protect their customers? What a racket!
jase
jase
To answer your question, "Yes", I have several users that have to login remotely using VPN, RDP, HTTP, FTP, SMTP, POP, etc.
I am just blown away that everyone's answer to this kind of thing is to cripple themselves to avoid attack. I mean, why is it an acceptable solution to block my ports to avoid attack, why can't I block IP addresses? Isn't there a piece of software or hardware that looks at the incoming IP address on ANY port and denies drops the packets? I am sure that there is.
Next, all I need is a piece of software that says, two failed login attemtps from the same ip using different usernames that are not valid, add the source ip to the list of blocked IP addresses.
This seems like the kind of thing that should have been handled when the first TCPIP stack was written.
Currently the range of attacks that I have been receiving are from Port 25, Port 443, and Port 21. I am sure that it is a matter of time before they try every port available. And since it is coming from at most 4 ip addresses, why can't I stop them? I'm thinking about hiring a hacker to reverse the attack since apparently there is no legal recourse.
I suggested to my service provider that if someone were trying to steal my phone service, the phone company would press charges. If someone were trying to steal my electricity, they electrical company would do something about it. With any service I receive, if someone is trying to use it without my permission, the service provider does something about it...but not with internet service. What a racket!
So, I told my service provider that I would start port-forwarding all of the traffic I have been getting to their servers until it shut down their servers and they responded by saying, "oh, if you did that, we would block all traffic from your IP address". In other words, they have the technology to block their own customers but not to protect their customers? What a racket!
jase
jase
You can stop it by IP address. But are you using a comercial firewall? The problem is that with most of those "residential gateways" you can't do this. If you use a commercial firewall then you can block just IP's. You can also use a free open source commercial firewall called Iptables run on linux.
Writing a script to run on your server is not optimal. You need to stop the Ip traffic at the gateway to your network. Running a script is going to put a load on the server as well.
4 ip's is not a lot. That is only going to grow the longer you have an internet connection. It will turn into hundreds per hour. You need a "real" firewall.
Writing a script to run on your server is not optimal. You need to stop the Ip traffic at the gateway to your network. Running a script is going to put a load on the server as well.
4 ip's is not a lot. That is only going to grow the longer you have an internet connection. It will turn into hundreds per hour. You need a "real" firewall.
ASKER
Talk to me. Give me some suggestions for a "real firewall". We don't have a lot of money, so cost is important. Thanks for the reply.
Jase
Jase
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.