Link to home
Start Free TrialLog in
Avatar of itnetsecure
itnetsecure

asked on

Brute force attack - Getting thousands of errors in security log - Event ID 529 - How to block this IP

I have a SBS 2003 with a Netgear Router using port forward for Ports 80, 443, 1723, 3389; With a static IP;
In the last few days the server has been reporting some Critical Errors in the Event Log of someone trying to hack the system;  

Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      admin
       Domain:      IGLESIARENUEVO
       Logon Type:      10
       Logon Process:      User32
       Authentication Package:      Negotiate
       Workstation Name:      HPSERVER
       Caller User Name:      HPSERVER$
       Caller Domain:      IGLESIARENUEVO
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      2996
       Transited Services:      -
       Source Network Address:      61.37.139.25
       Source Port:      1108

Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      administrator
       Domain:      IGLESIARENUEVO
       Logon Type:      10
       Logon Process:      User32
       Authentication Package:      Negotiate
       Workstation Name:      HPSERVER
       Caller User Name:      HPSERVER$
       Caller Domain:      IGLESIARENUEVO
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5548
       Transited Services:      -
       Source Network Address:      217.20.117.59
       Source Port:      2407

Like this logs I have hundreds...
 
What would be the best way to prevent this from happening and protect my server?  I've tracked the IP's and most of them are from Germany and Korea, but some from US as well.  Should I file an investigation to the proper ISP's to block those IP's?  I don't have ISA because the server is not premium.  Can someone recommend a good firewall (software or hardware) that wont cost much? (< = $300)...
SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also - port 3389 may well be a target too.  Can you limit the access from remote IP Addresses to only the specific ones you need to use it from?  The smaller the target, the fewer problems you will have.
In terms of a firewall, I would suggest something like the following from Netgear:

http://www.netgear.com/business/products/security/wireless-VPN-firewalls/DGFV338.aspx

http://www.netgear.com/business/products/security/wireless-VPN-firewalls/FVG318.aspx

The latter is the cheaper model and does not come with built-in ADSL modem.
What Netgear router do you currently have - it should be capable of blocking remote IP Address Ranges already?
Avatar of itnetsecure
itnetsecure

ASKER

I have an WPN824 Netgear Router;  In the router Port 25 is not open...  Did a netstat in the server and Port 25 is not listed either; I dont have FTP Services running in the server; I guess the problem could be the port 3389 for RDP...  I forgot to mention that I enabled the account block after 5 failed attempts for 15 minutes;
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You guys are awsome...

Now as far as notifying the ISP's or any abuse control person at the ISP...  At least notify the ISP withing the US...  Is that possible? or should I just worry about protecting my server and forget about the rest?
I would not worry too much about reporting them - it is probably a remotely controlled computer doing the attack on your computer, but it won't hurt to try.

Once the hacker has stopped using one server / computer to abuse others, they will have plenty of others to use and abuse, so it is an uphill struggle.
We do not notify the abuse@ due to the huge number of subnets and ISPs that we see. Because of this, we do not block inbound subnets (IPs) on the Internet gateway as it would almost be another full-time job.

It's much simpler to whitelist (allow IPs for certain ports) than it is to blacklist (block IPs for certain ports).

There are other ways to protect the SMTP port such as using a third party e-mail sanitation and continuity provider.

Philip