Solved

Security Audit Failures - Brute Force Attack?

Posted on 2009-04-13
6
864 Views
Last Modified: 2013-11-16
I've get 1000's of these on my citrix server daily:

The IP's change so rapidly and never used twice.  I know this is a brute force attack but I wanted a second opinion from the experts exchange guru's.  Also, any suggestions on how to counter or defend this would be greatly appreciated. Thanks in advance...

hornet
--------------------------------start---------------------------

Event Type:	Failure Audit

Event Source:	Security

Event Category:	Logon/Logoff 

Event ID:	539

Date:		4/12/2009

Time:		9:56:50 PM

User:		NT AUTHORITY\SYSTEM

Computer:	

Description:

Logon Failure:

 	Reason:		Account locked out

 	User Name:	ADMIN

 	Domain:	 

 	Logon Type:	3

 	Logon Process:	NtLmSsp 

 	Authentication Package:	NTLM

 	Workstation Name:	\\LOCALHOST

 	Caller User Name:	-

 	Caller Domain:	-

 	Caller Logon ID:	-

 	Caller Process ID: -

 	Transited Services: -

 	Source Network Address:	88.173.116.31

 	Source Port:	0
 
 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

----------------------------------end-------------------------

Open in new window

0
Comment
Question by:whitehornet
  • 2
  • 2
6 Comments
 
LVL 36

Expert Comment

by:Carl Webster
ID: 24130640
What Citrix components are installed on your server?
What is sitting in front of the server?
0
 

Author Comment

by:whitehornet
ID: 24130676
Citrix Presentation Server 4.5
License Server v11
Web Apps

Sonicwall 2040 is sitting in front of the server.  I have port 80 open on this server for Web Apps to be streamed to clients.

Thanks
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 24130733
That is a very unsecure setup you have there.

Citrix recommends that the web interface be installed on a separate server and to use the free Citrix Secure Gateway software to protect the servers.  It will look like this:

Internet -> SW2040 -> port 443-> CSG/WI -> PS4.5 server

Don't use CSG 3.1 as it removed support for streamed apps.

I wrote a 3-part article on implementing CSG/WI and a wildcard ssl cert on a single server.

http://www.dabcc.com/article.aspx?id=10101 is Part 1.
0
 

Author Comment

by:whitehornet
ID: 24130749
Thank you... I inherited this setup and am trying to convice the owners to purchase new server so this helps validate my recommendation.  I will review article and then comment.  Thanks again...
0
 
LVL 3

Accepted Solution

by:
scwoa earned 500 total points
ID: 24274499
In the log above, it states that

>>Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      \\LOCALHOST

NTLM usually means that someone is trying to map a drive.
You should double check your firewall and make sure that ports 135, 137, 139, and 445 are NOT open to the internet.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
vMware vShield Endpoint 6.0 4 63
where is software market online? 7 95
svg file 10 84
Kaspersky Antivirus reports 4 59
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now