Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 889
  • Last Modified:

Security Audit Failures - Brute Force Attack?

I've get 1000's of these on my citrix server daily:

The IP's change so rapidly and never used twice.  I know this is a brute force attack but I wanted a second opinion from the experts exchange guru's.  Also, any suggestions on how to counter or defend this would be greatly appreciated. Thanks in advance...

hornet
--------------------------------start---------------------------
Event Type:	Failure Audit
Event Source:	Security
Event Category:	Logon/Logoff 
Event ID:	539
Date:		4/12/2009
Time:		9:56:50 PM
User:		NT AUTHORITY\SYSTEM
Computer:	
Description:
Logon Failure:
 	Reason:		Account locked out
 	User Name:	ADMIN
 	Domain:	 
 	Logon Type:	3
 	Logon Process:	NtLmSsp 
 	Authentication Package:	NTLM
 	Workstation Name:	\\LOCALHOST
 	Caller User Name:	-
 	Caller Domain:	-
 	Caller Logon ID:	-
 	Caller Process ID: -
 	Transited Services: -
 	Source Network Address:	88.173.116.31
 	Source Port:	0
 
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------------------end-------------------------

Open in new window

0
whitehornet
Asked:
whitehornet
  • 2
  • 2
1 Solution
 
Carl WebsterCommented:
What Citrix components are installed on your server?
What is sitting in front of the server?
0
 
whitehornetAuthor Commented:
Citrix Presentation Server 4.5
License Server v11
Web Apps

Sonicwall 2040 is sitting in front of the server.  I have port 80 open on this server for Web Apps to be streamed to clients.

Thanks
0
 
Carl WebsterCommented:
That is a very unsecure setup you have there.

Citrix recommends that the web interface be installed on a separate server and to use the free Citrix Secure Gateway software to protect the servers.  It will look like this:

Internet -> SW2040 -> port 443-> CSG/WI -> PS4.5 server

Don't use CSG 3.1 as it removed support for streamed apps.

I wrote a 3-part article on implementing CSG/WI and a wildcard ssl cert on a single server.

http://www.dabcc.com/article.aspx?id=10101 is Part 1.
0
 
whitehornetAuthor Commented:
Thank you... I inherited this setup and am trying to convice the owners to purchase new server so this helps validate my recommendation.  I will review article and then comment.  Thanks again...
0
 
scwoaCommented:
In the log above, it states that

>>Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      \\LOCALHOST

NTLM usually means that someone is trying to map a drive.
You should double check your firewall and make sure that ports 135, 137, 139, and 445 are NOT open to the internet.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now