Solved

How to block a hacker

Posted on 2010-11-28
16
434 Views
Last Modified: 2012-08-14
My SBS 2003 server has been logging failed login attemps at the rate of 5 per second for 2 days now. I have a lockout policy in place, so the hacker is unlikely to succeed. Is there anything I can do to determine his IP address and block him. In fact I would like to block all access attemps which originate from outside the UK.

Ian
0
Comment
Question by:TownTalk
  • 7
  • 5
  • 4
16 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34226711
I am fighting the same battle with a customer's server and using the logs on their hardware firewall I can determine the IP addresses of the hackers.

Make sure you expose only the ports you need exposed and log on your firewall all activity so you know what is coming in and out.

Please also have a read of my blog article about the increase of this type of attack:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34226716
I have blocked port 80 access to the server as it was not used, made sure the default website was redirected to /exchange virtual directory, restricted port 443 access to the IP of the customer's Mobile Service Provider and regularly add IP address blocks on their firewall.

It is a continual game of cat and mouse!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34226723
I assume those are type 10 logon attempts? If so they are almost guarenteed to be using port 3389 to attempt to gain access. SBS has a very unique feature called remote web workplace which uses 443 and 4125 which is much more secure that 3389 and will pretty well eliminate the thousands of 3389 attempts most anyone gets.

Best place to block IP's or ranges is with your router but hard to allow only the UK.
0
 

Author Comment

by:TownTalk
ID: 34226740
Actually I just took a look at the Router logs, the attemps are coming from multiple addresses, but by far the majority are coming from one ip address and it is attempting to get into our ftp site. So I can shut that down. It seems that all the other attempts are on port 25. I havent seen any attempts yet on 3389 which I am relieved about.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34226749
I have seen the same with port 25 trying to login to your server with usernames / passwords.

Make sure your security is tight and force regular password changes with strong passwords.

Block IP's that keep trying access regularly if from countries you don't communicate with.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34226750
Very insecure to be running FTP, or a port 80 web server, on a domain controller. I would recomend hosting elsewhere or even on a PC if you have to have one. I am assuming this is enabled on the SBS?
0
 

Author Comment

by:TownTalk
ID: 34226752
Blocking ip's is exactly what I want to do. But I dont know how to do it.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34226757
I use www.dnsstuff.com to determine the IP address range and then block ALL access to your server from that IP address range on the firewall / router.
0
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 34226759
If it is possible you are best on the router to allow only specified IP's, but I appreciate that is not always a possibility. Avoid common account names like administrator, admin, sales, POS, backup, manager, and as Alan said make sure you have strong passwords (enforce complexity through GP) and account lockout policies enabled.
0
 

Author Comment

by:TownTalk
ID: 34226766
I've got strong passwords. So I think i'm covered there. I was just looking in the router. It's only a Netgear DG834. I cant see any way to block traffic from a specific address though.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 34226799
On that Netgear by default it allows "any". you can set an IP range to allow, but you cannot set ranges to block. If you can narrow down your UK users to a specific IP range, no matter how big, you could specify that, but it only allows one subnet.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34226801
Click on the Firewall Menu on the left and then on the Inbound Section Add a new rule - add the Ports (All) and then add the IP Range to the From section and click Add.

You will have to create a new rule per IP range to block - which makes the list very long if you block loads.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 34226829
Sorry - that should be Firewall Rules Section.

The Default for Inbound is Block and Default for Outbound is Allow.

You can happily add a new Firewall Rule for each IP Port Range to block all access.
0
 

Author Comment

by:TownTalk
ID: 34226832
Thanks Alan, I can see that now. I didn't realise it could be done. I going to split the points though because you both talked a lot of sense.

Thanks guys.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34226859
No problems - that's very fair.

Keep an eye on the router logs.  I get them emailed to me daily and monitor what is going on and make additional rules as necessary.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 34226866
Thanks TownTalk, good luck with it.
Cheers!
--rOB
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now