Solved

Anyway to block hacker & their IP addresses?

Posted on 2008-10-07
25
1,310 Views
Last Modified: 2008-10-12
Experts:
One of managed SBS2003 Server gets hacker attempted to hacked-in everyday!
Any way to block hacker(s) and it (their) IP address(es)?
please reply
thanks!
0
Comment
Question by:samntlam
  • 12
  • 9
  • 3
  • +1
25 Comments
 
LVL 38

Accepted Solution

by:
Philip Elder earned 350 total points
ID: 22665685
SBS 2003 Premium with ISA will give you the ability to setup block lists.
Do you have ISA?
Otherwise, an intelligent firewall device that has the ability to establish connectivity rules would do.
 SonicWall
 Calyptix
 Untangle (Somewhat freeware)
Philip
0
 

Author Comment

by:samntlam
ID: 22665726
MPECSInc,
thank you for prompt reply
No. I did not have ISA on this Box
the first two devices, I assumed are hardware's?
the last one is software, right?
if I only have a choice for software and do not want anything as of "free" or freeware.
Would you recommend a legitimate software that does not have any conflict with Symantec antivirus (cooperate edition) / antispam (Symantec Mail Security for Exchange) / running on this exchange server?
please reply!
0
 
LVL 18

Assisted Solution

by:Andrew Davis
Andrew Davis earned 125 total points
ID: 22665793
IMHO hardware is allways the best. I would talk to whoever manages your existing router/firewall and ask them to block it, if your router does dot have this feature then get a new router. This feature is pretty basic and is standard on just about every router i have ever seen from $100 up.

Of course the problem is that the hacker will probably simply move to a new ip and continue attempting. in which case you could look at blocking a range from the originating country.

What are they trying to hack? Usually it is ftp services, for that reason i usually house my FTP on a standalone pc and then the attempts dont degrade the server performance. Or you could simply change the port that FTP is using and as long as the clients know then life will be good, this will defeat most auto hackers that are simply looking for the open port and then trying random user/passwords.

0
 

Author Comment

by:samntlam
ID: 22665844
AndrewJDAvis:
the router came from verizon DSL
it is too much to ask from verizon to switch/changes since they assigned the static ip already been done and delivered

my question is, how do they know this box's static ip?
from the internet community, where & how does it show or tell these hateful hackers the server's ip address?

does the server tell everybody once the software's been installed and built?

I can't seem to understand how they saw it and the amazing thing was, they even know which port (RDP) to tried and connected! that's the most unbelievable thing for me to even accepted until this day!

(I've changed the port on RDP)
Sam
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 350 total points
ID: 22665847
SonicWall is hardware based, and their more advanced lines will provide the functionality you are looking for. That would be the direction I would go in with no ISA in place.
The SonicWall is a stand alone hardware product. Keep in mind, that it, and products like it require a fairly steep learning curve to "drive" them. An improperly configured firewall device, hardware or software, is practically the same as running none at all.
Philip
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 350 total points
ID: 22665856
Changing the port for RDP is no good. Lookup TSGrinder which is probably what you are dealing with. It will sniff all 65K+ ports for a listenting TS box and start grinding.

Close 3389 and use the Remote Web Workplace as your TS proxy. It is built-in and SSL secured! You are using Remote Web Workplace in SBS are you not?

Philip
0
 

Author Comment

by:samntlam
ID: 22665872
Phillip:
that's why my profile shown as "beginner"
but I am not affair to ask because I will read and study from all your experts / comments
and for me to do that, is to try from my own box instead of from the client's
that would be my last thing to do to break anything before I even consider myself not an beginner any more!

anyway, I need to block these hackers but i am running short (on knowledge) and out of resources (small client & no more expense!)

anything you can suggest and recommend in between (not) expensive - (not) free?
I am sorry if I give any hard time on my response!
Sam
0
 

Author Comment

by:samntlam
ID: 22665994
"Changing the port for RDP is no good. Lookup TSGrinder which is probably what you are dealing with. It will sniff all 65K+ ports for a listenting TS box and start grinding."

I should have refresh the page before I post reply! I will do that now...
changing the port was because it got out of control from many hackers and hacking...
(when I read the daily server report) that's why I made the changed

Close 3389 and use the Remote Web Workplace as your TS proxy. It is built-in and SSL secured! You are using Remote Web Workplace in SBS are you not?

Yes, server was running RWW - but I disabled RWW cause I thought that could be the problem!

so, could you please direct me on how to "close" port 3389 (I didn't know I can close it?)
of course, I will try to see if I can remote in using RWW before I close that port!

please reply
thanks!


0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 350 total points
ID: 22666042
Yes, you need to run the CEICW: To Do --> Connect to the Internet to get things working right. There should be a check mark for Terminal Services there.

Turn off port forwarding for 3389 on your firewall device if you have one.

Philip
0
 

Author Comment

by:samntlam
ID: 22666061
okay! I know that one. just uncheck TS and check RWW

but to turn off port forwarding on port 3389 - i don't have a firewall device and if I do., does it only let you setup port to enable but not disable? or how do you disable it (port 3389) if there's no such port listed? correct me if I am wrong.
thanks!
Sam
0
 

Author Comment

by:samntlam
ID: 22666155
Phillip:
I got RWW running and being tested now...

Quick question,
if i don't see a check mark in the process of running CEICW, (why?)
how do I disable TS if there's another way?
please reply!

0
 
LVL 18

Assisted Solution

by:Andrew Davis
Andrew Davis earned 125 total points
ID: 22666861
right click on "my computer" and go to properties. then go to the remote tab and uncheck the allow to connect remotely.
However i would be getting a router/'firewall to provide some protection a basic one will only cost about $100 that will allow you to block all but essential ports.
As for how did they find it, They probably simply stumbled across it and then set to work trying to break in.

What country are you in?
that way i can look at whats available to you that is cheap.

Security costs money and here $100 is about 1 hours labour of a basic Tech so it wouldnt even be worth playing around with software fixes.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 350 total points
ID: 22669844
You will not be able to disable TS on the SBS box. It is used for remote admin via the RWW too.
Which check mark was missing?
Philip
0
 

Author Comment

by:samntlam
ID: 22670740
AndrewJDavis:
I was here in the U.S (English is my 2nd Language)
I just done that last night... (uncheck remote connection) but only for temporary cause I  locked myself out of communcated with the server

Verizon does provided this company a router (Westel) the latest one with wireless but i forget model# and will get that when I visit that office this Sat.

In term of firewall came with that router, it does have some setting but I can't find anything that allow me to block specific IP addresses (I am sure you know I wasn't refer to the router but because of me - lack of knowledge!)

I agreed with your recommended except I am not ready to do so for now... need to find time to study - learn... and I don't have it!

-----

"MPECSInc:            
Yes, you need to run the CEICW: To Do --> Connect to the Internet to get things working right. There should be a check mark for Terminal Services there."

I got the RWW working and tested

"Turn off port forwarding for 3389 on your firewall device if you have one."

I can't seem to find anything in the modem/route provided by Verizon?

and, as you mentioned:
"Close 3389 and use the Remote Web Workplace as your TS proxy. It is built-in and SSL secured! You are using Remote Web Workplace in SBS are you not??"
I had RWW running but wasn't sure when you referred to using RWW instead of RDP - TS
to login to server. as I thought there's ways to stop / disable / block outside - intruder to attempt to RDP into the server and for me to just use RWW instead ot RDP - TS!

again, you just told me that there's no way to disable RDP - TS
I just need to get - find something else...
Sam
0
 

Author Comment

by:samntlam
ID: 22670753
Phillip:
Sorry... the check mark that gives you a option to uncheck or check Terminal Server
it wasn't there in CEICW?  (SBS2003-R1)
Sam
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 350 total points
ID: 22673293
RDP-TS is used to manage the server.
In the CEICW steps:
http://www.sbs-rocks.com/sbs2k3/sbs2k3-n2.htm

Note Services Configuration!!!

It has a check mark or NOT beside Terminal Services. UNCHECK this option during the CEICW and the server will close 3389 to the world!

Philip
0
 

Author Comment

by:samntlam
ID: 22680853
Phillip:
all noted.
I think I missed one step when i click & view from the link you provided, I will double check again! but I have to do this in the weekend cause i unchecked the remote connection onto the server day ago as I mentioned.

and Guys, I bought a used PIX-501 at ebay (it came with power but no SW. - manual - cables?) I really appreciate your suggestions or some direction and will try googling myself

I still have one more concern. even though i stop the remote connection in... there's still a attempted to login (invalid-login) onto the server, why?

(Or, if this has to be another open question - ticket open?)

-------
 Logon Failure:    Reason: Unknown user name or bad password    
User Name: administrator    
Domain: xx.xxx.xxx.xxx (IP address removed)    
Logon Type: 3    
Logon Process: NtLmSsp    
Authentication Package: NTLM    
Workstation Name: S15312629    
Caller User Name: -    
Caller Domain: -    
Caller Logon ID: -    
Caller Process ID: -    
Transited Services: -    
Source Network Address: xxx.xxx.xxx.xx (hacker IP address removed)    
Source Port: 2363
--------

Sam
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 350 total points
ID: 22680965
From now on, you need to make sure that you have good password policies in place.

For our clients, their username is always FirstLast. A passphrase is required with complexity at a minimum 10 characters. The passwords rotate once every 45 to 75 days depending on the client.

Philip
0
 
LVL 18

Assisted Solution

by:Andrew Davis
Andrew Davis earned 125 total points
ID: 22683269
another good policy is to change the Administrator username. It is easy to do at time of setting up the domain but if you want to do it now then you will have to be aware that any services or apps that run under this account may stop working until you reset them to use the new account name.
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 350 total points
ID: 22683318
Better to create a new domain admin account with a new user name and disable the default 500 admin account as per Microsoft Security Best Practices.

SBS 2008 does this out of the box.

Philip
0
 

Author Comment

by:samntlam
ID: 22688040
Phillip:
I don't have the "enable" firewall configuration due to one NIC adapter for this server only!
Port (RDP) can't be closed and looks like this is it!
Any suggestion?
thansk!
0
 
LVL 5

Assisted Solution

by:intekra
intekra earned 25 total points
ID: 22689033
You need to close port 3389 on that PIX 501!

0
 

Author Comment

by:samntlam
ID: 22689175
I just bought (still need to do some study - plus there's no software or manual came with  it) but that's okay cause I need to work on that PIX-501 and maybe a couple of months & I will have a clue on how to...
thanks!
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 350 total points
ID: 22692330
The only way TS 3389 is coming in is via your router having a port forward rule in it. I have seen ADSL modems that have routers built in. You may have one of those. Open a Web browser and type the IP of the router in the address bar and I bet you get a logon screen.
If you don't know the password, there should be a little hidden recessed button on the modem/router to reset it. Keep in mind that resetting it will also kill your 443, 25, 1723 port forwarding.
So, make sure to have the manual available for your particular model. It will contain the way to logon with the default admin/password and how to setup port forwarding.
Use the Change IP wizard to change the server's IP. The port forwarding is set to the current server's IP. Changing it will eliminate that problem temporarily.
Reboot the clients after changing the IP so that they pickup the new settings.
Philip
0
 

Author Comment

by:samntlam
ID: 22692631
I have the router and I did setup those port forwarding (25, 443, 4125, etc...)
I only saw ports to be enable in port forwarding but not disable in this router (Westel)
and the firewall was completely unreliable! & there was no custom one for me to add/edit/modify
for instance, I set firewall to MAX (it still allow me to run anything I want!!!

that's why I couldn't perform - do the work I want...
and now I just got this PIX-501 (still need to order other accessories at ebay) waiting to go to the next level - in the meanwhile, get attack, attack and attack!

I thought I could take advantage of the method mentioned (close - shut down port 3389)
it turns out I must face and accept it for now... (more invalid logged in logs everyday...)
very frustrated.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now