Solved

Security Audit Failures - Brute Force Attack?

Posted on 2009-04-13
6
860 Views
Last Modified: 2013-11-16
I've get 1000's of these on my citrix server daily:

The IP's change so rapidly and never used twice.  I know this is a brute force attack but I wanted a second opinion from the experts exchange guru's.  Also, any suggestions on how to counter or defend this would be greatly appreciated. Thanks in advance...

hornet
--------------------------------start---------------------------

Event Type:	Failure Audit

Event Source:	Security

Event Category:	Logon/Logoff 

Event ID:	539

Date:		4/12/2009

Time:		9:56:50 PM

User:		NT AUTHORITY\SYSTEM

Computer:	

Description:

Logon Failure:

 	Reason:		Account locked out

 	User Name:	ADMIN

 	Domain:	 

 	Logon Type:	3

 	Logon Process:	NtLmSsp 

 	Authentication Package:	NTLM

 	Workstation Name:	\\LOCALHOST

 	Caller User Name:	-

 	Caller Domain:	-

 	Caller Logon ID:	-

 	Caller Process ID: -

 	Transited Services: -

 	Source Network Address:	88.173.116.31

 	Source Port:	0
 
 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

----------------------------------end-------------------------

Open in new window

0
Comment
Question by:whitehornet
  • 2
  • 2
6 Comments
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
What Citrix components are installed on your server?
What is sitting in front of the server?
0
 

Author Comment

by:whitehornet
Comment Utility
Citrix Presentation Server 4.5
License Server v11
Web Apps

Sonicwall 2040 is sitting in front of the server.  I have port 80 open on this server for Web Apps to be streamed to clients.

Thanks
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
That is a very unsecure setup you have there.

Citrix recommends that the web interface be installed on a separate server and to use the free Citrix Secure Gateway software to protect the servers.  It will look like this:

Internet -> SW2040 -> port 443-> CSG/WI -> PS4.5 server

Don't use CSG 3.1 as it removed support for streamed apps.

I wrote a 3-part article on implementing CSG/WI and a wildcard ssl cert on a single server.

http://www.dabcc.com/article.aspx?id=10101 is Part 1.
0
 

Author Comment

by:whitehornet
Comment Utility
Thank you... I inherited this setup and am trying to convice the owners to purchase new server so this helps validate my recommendation.  I will review article and then comment.  Thanks again...
0
 
LVL 3

Accepted Solution

by:
scwoa earned 500 total points
Comment Utility
In the log above, it states that

>>Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      \\LOCALHOST

NTLM usually means that someone is trying to map a drive.
You should double check your firewall and make sure that ports 135, 137, 139, and 445 are NOT open to the internet.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now