Solved

Event ID 529 from AP domain despite firewall rule

Posted on 2009-07-06
8
710 Views
Last Modified: 2013-12-07
We are seeing about 5 or 6 Event ID 529 messages everyday, all from an Asia-Pacific IP address range.  The first 3 octets are always the same - 121.12.175.  To combat hacking attempts, we created a rule on our SonicWall TZ-180 appliance to block all traffic from 121.0.0.0 - 121.255.255.255.  In spite of this rule, we continually see these hacking attempts.  What I don't understand is why SonicWall is allowing the traffic to be passed on to the Windows 2003 SBS.  What is more disturbing is the fact that source port 4564 is known to be a worm with DDoS capabilities.  Any suggestions?
Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	administrator
 	Domain:		64.190.70.66
 	Logon Type:	3
 	Logon Process:	NtLmSsp 
 	Authentication Package:	NTLM
 	Workstation Name:	ZZWLINE
 	Caller User Name:	-
 	Caller Domain:	-
 	Caller Logon ID:	-
 	Caller Process ID:	-
 	Transited Services:	-
 	Source Network Address:	121.12.175.194
 	Source Port:	4564

Open in new window

0
Comment
Question by:DavidMCook
  • 5
  • 2
8 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 24785980
event source please
0
 

Author Comment

by:DavidMCook
ID: 24786071
Oops.

Source = Security
Category = Logon/Logoff
Type = Failure Aud
Event ID = 529
User = NT AUTHORITY\SYSTEM


0
 
LVL 18

Expert Comment

by:awawada
ID: 24786175
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:DavidMCook
ID: 24786518
Is SonicWall not capable of blocking all traffic from the source IP?  That is my preference, that their packets be stopped at the firewall.
0
 
LVL 3

Expert Comment

by:c01000100
ID: 24792367
I'm not sure about SonicWall configs, but it most cases, troubleshooting firewalls that let packets through that you don't want can be done in this order:

- check for a failover pass-through mode
- check that the rule/policy/acl that stops the undesired traffic comes before other rules/policies/acls that apply to the same range for permits(most firewalls use the top-down method to process rules/policies/acls)
- check that the source address/range is correct as well as the destination
- check that the protocol/protocol suites is/are correct
- check that the destination port(s) are correct

As for that source port, most source ports are generated randomly.  the important part is the destination port.
0
 

Author Comment

by:DavidMCook
ID: 24795753
co1000100 suggestion to check the order of the firewall rules may have hit on the reason.  Unfortunately, SonicWall seems to put all of the ALLOW rules first followed by the DENY rules, and I haven't been able to figure out how to change them.  Any other suggestions?
0
 

Author Comment

by:DavidMCook
ID: 24855461
I downloaded latest firmware from SonicWall.  Hopefullly that will resolve my problem.
0
 

Accepted Solution

by:
DavidMCook earned 0 total points
ID: 24869179
The firmware did not solve my problem.  However, I finally found the solution.  SonicWall does not let you change the order of the rules, by default.  I'm told that if you get Enhanced OS that you can, but I'm not quite sure what that is.  SonicWall sorts the most specific rule first, then ends with the most general.  To stop this intruder, I needed a rule that would float to the top.  Here's what I did:

* I first determined from the logs that the hacker was coming in on port 135, RPC for Exchange.
* Next, I determined the IP address (I know by heart after all this time) - 121.12.175.194, which is an Asia Pacific address.  SInce we don't get visitors from that part of the world, we can block the entire address range.
* Next, I created a rule that blocks all traffic from 121.0.0.0 thru 121.255.255.255 on port 135 when the traffic is destined for my mail server.

When I clicked Save, the rule floated right to the top of the list.  Problem is now solved.  Whew!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Download Logs File from Cisco Switch 1 76
slow vpn connection 9 87
ASA Tunnel 18 49
Configure IP on Sonicwall 2 21
Many network operators, engineers, and administrators do not take several factors into consideration when troubleshooting network throughput and latency issues.  They often  measure the throughput by performing a measurement  by transferring a large…
Introduction Many times we come across a slowness or instability between two hosts, and almost always we blame the poor networking guys, just because they're an easy target.  Sometimes we forget that other factors including disk bottlenecks, CPU …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question