Anyway to block hacker & their IP addresses?

Experts:
One of managed SBS2003 Server gets hacker attempted to hacked-in everyday!
Any way to block hacker(s) and it (their) IP address(es)?
please reply
thanks!
samntlamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
SBS 2003 Premium with ISA will give you the ability to setup block lists.
Do you have ISA?
Otherwise, an intelligent firewall device that has the ability to establish connectivity rules would do.
 SonicWall
 Calyptix
 Untangle (Somewhat freeware)
Philip
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
samntlamAuthor Commented:
MPECSInc,
thank you for prompt reply
No. I did not have ISA on this Box
the first two devices, I assumed are hardware's?
the last one is software, right?
if I only have a choice for software and do not want anything as of "free" or freeware.
Would you recommend a legitimate software that does not have any conflict with Symantec antivirus (cooperate edition) / antispam (Symantec Mail Security for Exchange) / running on this exchange server?
please reply!
0
 
Andrew DavisManagerCommented:
IMHO hardware is allways the best. I would talk to whoever manages your existing router/firewall and ask them to block it, if your router does dot have this feature then get a new router. This feature is pretty basic and is standard on just about every router i have ever seen from $100 up.

Of course the problem is that the hacker will probably simply move to a new ip and continue attempting. in which case you could look at blocking a range from the originating country.

What are they trying to hack? Usually it is ftp services, for that reason i usually house my FTP on a standalone pc and then the attempts dont degrade the server performance. Or you could simply change the port that FTP is using and as long as the clients know then life will be good, this will defeat most auto hackers that are simply looking for the open port and then trying random user/passwords.

0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
samntlamAuthor Commented:
AndrewJDAvis:
the router came from verizon DSL
it is too much to ask from verizon to switch/changes since they assigned the static ip already been done and delivered

my question is, how do they know this box's static ip?
from the internet community, where & how does it show or tell these hateful hackers the server's ip address?

does the server tell everybody once the software's been installed and built?

I can't seem to understand how they saw it and the amazing thing was, they even know which port (RDP) to tried and connected! that's the most unbelievable thing for me to even accepted until this day!

(I've changed the port on RDP)
Sam
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
SonicWall is hardware based, and their more advanced lines will provide the functionality you are looking for. That would be the direction I would go in with no ISA in place.
The SonicWall is a stand alone hardware product. Keep in mind, that it, and products like it require a fairly steep learning curve to "drive" them. An improperly configured firewall device, hardware or software, is practically the same as running none at all.
Philip
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Changing the port for RDP is no good. Lookup TSGrinder which is probably what you are dealing with. It will sniff all 65K+ ports for a listenting TS box and start grinding.

Close 3389 and use the Remote Web Workplace as your TS proxy. It is built-in and SSL secured! You are using Remote Web Workplace in SBS are you not?

Philip
0
 
samntlamAuthor Commented:
Phillip:
that's why my profile shown as "beginner"
but I am not affair to ask because I will read and study from all your experts / comments
and for me to do that, is to try from my own box instead of from the client's
that would be my last thing to do to break anything before I even consider myself not an beginner any more!

anyway, I need to block these hackers but i am running short (on knowledge) and out of resources (small client & no more expense!)

anything you can suggest and recommend in between (not) expensive - (not) free?
I am sorry if I give any hard time on my response!
Sam
0
 
samntlamAuthor Commented:
"Changing the port for RDP is no good. Lookup TSGrinder which is probably what you are dealing with. It will sniff all 65K+ ports for a listenting TS box and start grinding."

I should have refresh the page before I post reply! I will do that now...
changing the port was because it got out of control from many hackers and hacking...
(when I read the daily server report) that's why I made the changed

Close 3389 and use the Remote Web Workplace as your TS proxy. It is built-in and SSL secured! You are using Remote Web Workplace in SBS are you not?

Yes, server was running RWW - but I disabled RWW cause I thought that could be the problem!

so, could you please direct me on how to "close" port 3389 (I didn't know I can close it?)
of course, I will try to see if I can remote in using RWW before I close that port!

please reply
thanks!


0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Yes, you need to run the CEICW: To Do --> Connect to the Internet to get things working right. There should be a check mark for Terminal Services there.

Turn off port forwarding for 3389 on your firewall device if you have one.

Philip
0
 
samntlamAuthor Commented:
okay! I know that one. just uncheck TS and check RWW

but to turn off port forwarding on port 3389 - i don't have a firewall device and if I do., does it only let you setup port to enable but not disable? or how do you disable it (port 3389) if there's no such port listed? correct me if I am wrong.
thanks!
Sam
0
 
samntlamAuthor Commented:
Phillip:
I got RWW running and being tested now...

Quick question,
if i don't see a check mark in the process of running CEICW, (why?)
how do I disable TS if there's another way?
please reply!

0
 
Andrew DavisManagerCommented:
right click on "my computer" and go to properties. then go to the remote tab and uncheck the allow to connect remotely.
However i would be getting a router/'firewall to provide some protection a basic one will only cost about $100 that will allow you to block all but essential ports.
As for how did they find it, They probably simply stumbled across it and then set to work trying to break in.

What country are you in?
that way i can look at whats available to you that is cheap.

Security costs money and here $100 is about 1 hours labour of a basic Tech so it wouldnt even be worth playing around with software fixes.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You will not be able to disable TS on the SBS box. It is used for remote admin via the RWW too.
Which check mark was missing?
Philip
0
 
samntlamAuthor Commented:
AndrewJDavis:
I was here in the U.S (English is my 2nd Language)
I just done that last night... (uncheck remote connection) but only for temporary cause I  locked myself out of communcated with the server

Verizon does provided this company a router (Westel) the latest one with wireless but i forget model# and will get that when I visit that office this Sat.

In term of firewall came with that router, it does have some setting but I can't find anything that allow me to block specific IP addresses (I am sure you know I wasn't refer to the router but because of me - lack of knowledge!)

I agreed with your recommended except I am not ready to do so for now... need to find time to study - learn... and I don't have it!

-----

"MPECSInc:            
Yes, you need to run the CEICW: To Do --> Connect to the Internet to get things working right. There should be a check mark for Terminal Services there."

I got the RWW working and tested

"Turn off port forwarding for 3389 on your firewall device if you have one."

I can't seem to find anything in the modem/route provided by Verizon?

and, as you mentioned:
"Close 3389 and use the Remote Web Workplace as your TS proxy. It is built-in and SSL secured! You are using Remote Web Workplace in SBS are you not??"
I had RWW running but wasn't sure when you referred to using RWW instead of RDP - TS
to login to server. as I thought there's ways to stop / disable / block outside - intruder to attempt to RDP into the server and for me to just use RWW instead ot RDP - TS!

again, you just told me that there's no way to disable RDP - TS
I just need to get - find something else...
Sam
0
 
samntlamAuthor Commented:
Phillip:
Sorry... the check mark that gives you a option to uncheck or check Terminal Server
it wasn't there in CEICW?  (SBS2003-R1)
Sam
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
RDP-TS is used to manage the server.
In the CEICW steps:
http://www.sbs-rocks.com/sbs2k3/sbs2k3-n2.htm

Note Services Configuration!!!

It has a check mark or NOT beside Terminal Services. UNCHECK this option during the CEICW and the server will close 3389 to the world!

Philip
0
 
samntlamAuthor Commented:
Phillip:
all noted.
I think I missed one step when i click & view from the link you provided, I will double check again! but I have to do this in the weekend cause i unchecked the remote connection onto the server day ago as I mentioned.

and Guys, I bought a used PIX-501 at ebay (it came with power but no SW. - manual - cables?) I really appreciate your suggestions or some direction and will try googling myself

I still have one more concern. even though i stop the remote connection in... there's still a attempted to login (invalid-login) onto the server, why?

(Or, if this has to be another open question - ticket open?)

-------
 Logon Failure:    Reason: Unknown user name or bad password    
User Name: administrator    
Domain: xx.xxx.xxx.xxx (IP address removed)    
Logon Type: 3    
Logon Process: NtLmSsp    
Authentication Package: NTLM    
Workstation Name: S15312629    
Caller User Name: -    
Caller Domain: -    
Caller Logon ID: -    
Caller Process ID: -    
Transited Services: -    
Source Network Address: xxx.xxx.xxx.xx (hacker IP address removed)    
Source Port: 2363
--------

Sam
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
From now on, you need to make sure that you have good password policies in place.

For our clients, their username is always FirstLast. A passphrase is required with complexity at a minimum 10 characters. The passwords rotate once every 45 to 75 days depending on the client.

Philip
0
 
Andrew DavisManagerCommented:
another good policy is to change the Administrator username. It is easy to do at time of setting up the domain but if you want to do it now then you will have to be aware that any services or apps that run under this account may stop working until you reset them to use the new account name.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Better to create a new domain admin account with a new user name and disable the default 500 admin account as per Microsoft Security Best Practices.

SBS 2008 does this out of the box.

Philip
0
 
samntlamAuthor Commented:
Phillip:
I don't have the "enable" firewall configuration due to one NIC adapter for this server only!
Port (RDP) can't be closed and looks like this is it!
Any suggestion?
thansk!
0
 
intekraCommented:
You need to close port 3389 on that PIX 501!

0
 
samntlamAuthor Commented:
I just bought (still need to do some study - plus there's no software or manual came with  it) but that's okay cause I need to work on that PIX-501 and maybe a couple of months & I will have a clue on how to...
thanks!
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
The only way TS 3389 is coming in is via your router having a port forward rule in it. I have seen ADSL modems that have routers built in. You may have one of those. Open a Web browser and type the IP of the router in the address bar and I bet you get a logon screen.
If you don't know the password, there should be a little hidden recessed button on the modem/router to reset it. Keep in mind that resetting it will also kill your 443, 25, 1723 port forwarding.
So, make sure to have the manual available for your particular model. It will contain the way to logon with the default admin/password and how to setup port forwarding.
Use the Change IP wizard to change the server's IP. The port forwarding is set to the current server's IP. Changing it will eliminate that problem temporarily.
Reboot the clients after changing the IP so that they pickup the new settings.
Philip
0
 
samntlamAuthor Commented:
I have the router and I did setup those port forwarding (25, 443, 4125, etc...)
I only saw ports to be enable in port forwarding but not disable in this router (Westel)
and the firewall was completely unreliable! & there was no custom one for me to add/edit/modify
for instance, I set firewall to MAX (it still allow me to run anything I want!!!

that's why I couldn't perform - do the work I want...
and now I just got this PIX-501 (still need to order other accessories at ebay) waiting to go to the next level - in the meanwhile, get attack, attack and attack!

I thought I could take advantage of the method mentioned (close - shut down port 3389)
it turns out I must face and accept it for now... (more invalid logged in logs everyday...)
very frustrated.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.