Solved

Security Audit Failures - Brute Force Attack?

Posted on 2009-04-13
6
867 Views
Last Modified: 2013-11-16
I've get 1000's of these on my citrix server daily:

The IP's change so rapidly and never used twice.  I know this is a brute force attack but I wanted a second opinion from the experts exchange guru's.  Also, any suggestions on how to counter or defend this would be greatly appreciated. Thanks in advance...

hornet
--------------------------------start---------------------------
Event Type:	Failure Audit
Event Source:	Security
Event Category:	Logon/Logoff 
Event ID:	539
Date:		4/12/2009
Time:		9:56:50 PM
User:		NT AUTHORITY\SYSTEM
Computer:	
Description:
Logon Failure:
 	Reason:		Account locked out
 	User Name:	ADMIN
 	Domain:	 
 	Logon Type:	3
 	Logon Process:	NtLmSsp 
 	Authentication Package:	NTLM
 	Workstation Name:	\\LOCALHOST
 	Caller User Name:	-
 	Caller Domain:	-
 	Caller Logon ID:	-
 	Caller Process ID: -
 	Transited Services: -
 	Source Network Address:	88.173.116.31
 	Source Port:	0
 
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------------------------------end-------------------------

Open in new window

0
Comment
Question by:whitehornet
  • 2
  • 2
6 Comments
 
LVL 36

Expert Comment

by:Carl Webster
ID: 24130640
What Citrix components are installed on your server?
What is sitting in front of the server?
0
 

Author Comment

by:whitehornet
ID: 24130676
Citrix Presentation Server 4.5
License Server v11
Web Apps

Sonicwall 2040 is sitting in front of the server.  I have port 80 open on this server for Web Apps to be streamed to clients.

Thanks
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 24130733
That is a very unsecure setup you have there.

Citrix recommends that the web interface be installed on a separate server and to use the free Citrix Secure Gateway software to protect the servers.  It will look like this:

Internet -> SW2040 -> port 443-> CSG/WI -> PS4.5 server

Don't use CSG 3.1 as it removed support for streamed apps.

I wrote a 3-part article on implementing CSG/WI and a wildcard ssl cert on a single server.

http://www.dabcc.com/article.aspx?id=10101 is Part 1.
0
 

Author Comment

by:whitehornet
ID: 24130749
Thank you... I inherited this setup and am trying to convice the owners to purchase new server so this helps validate my recommendation.  I will review article and then comment.  Thanks again...
0
 
LVL 3

Accepted Solution

by:
scwoa earned 500 total points
ID: 24274499
In the log above, it states that

>>Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      \\LOCALHOST

NTLM usually means that someone is trying to map a drive.
You should double check your firewall and make sure that ports 135, 137, 139, and 445 are NOT open to the internet.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question