Solved

Excessive Login Failures

Posted on 2011-02-21
13
1,189 Views
Last Modified: 2012-05-11
Hello,

We are running SBS 2003 with Service Pack 2. Lately we have been getting hammered by people trying to gain access. Last night there were over 9,000 failed attempts. Is there a way to counter this by locking out an IP address after a certain number of failures? Or any other ideas? We've increased our password complexity but I would like to cut off the excessive attempts if possible.

Thanks,
Steve Security Log
0
Comment
Question by:SteveB2515
  • 6
  • 6
13 Comments
 
LVL 12

Expert Comment

by:Sommerblink
ID: 34948037
Why are you allowing unauthenticated connections to a domain controller, from the internet?

Disable that and your problem is solved.

If you have to have people log in from the outside, then have them go through a VPN of some sort, then allow them access to the server.
0
 

Author Comment

by:SteveB2515
ID: 34948283
So I own a small company and wear many hats including IT guy. My IT knowledge is a bit limited.  Your solution sounds good but you didn't say how to do it. Details?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34949289
Please have a read of my two blogs:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

You need to figure out what process PID 1600 is on your server and that will help you figure out how the hackers are trying to access your systems.  I have removed Basic & Integrated SMTP authentication from ALL of my SBS 2003 servers that I manage and it has massively lowered the number of hacking attempts on each server.
0
 

Author Comment

by:SteveB2515
ID: 34966421
Thanks both of you for the help. I read both of the links above. There is a lot of good information there on the steps I should be taking. Unfortunately for me there wasn't much information on "how" to take them.

Maybe if I explain a little more about how we access our server, you can point me in the appropriate direction.

Aside from the client computers accessing from within the LAN at the office, our 5 employees can access the server in the following ways:
1. via VPN.
2. via Outlook Web Access (rarely)
3. via iPhone (Exchange)

Our inbound email is directed to a Barracuda Networks Spam & Virus Firewall. The Barracuda then sends the email to our SBS 2003 Exchange server.

Our outbound email is send from our SBS 2003 Exchange server straight to our ISP (Qwest)

Does that help? Any ideas? Thank in advance.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34968002
Have you worked out what Process ID 1600 is?  If so - please advise.

To reveal this, bring up Task Manager, Add in the PID column and then sort on the process ID column, then you can advise what the process is that is running on Process ID 1600.

OWA can be a target.  SMTP can be a target. Remote Desktop can be a target.
0
 

Author Comment

by:SteveB2515
ID: 34972637
This is strange.The server has been running for 14 days 6 hours, so no restarts since my first post. I brought up Task Manager and sorted the PID column. There isn't a 1600 listed. The PID ranges in value from 4306 to 9140.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34974307
The PID may have been and gone by now (are you showing all processes from all users?).  Keep an eye on the logs and then marry up the service to the event log entry and then advise what the process is please.
0
 

Author Comment

by:SteveB2515
ID: 34981029
Yesterday afternoon I was thinking about the different ways someone could be trying to log into our server. I decided to shut off as many avenues as possible to see if it made any difference. I went into the SBS 2003 firewall settings and turned off Outlook Web Access, Remote Web Workplace and Business Web Site (wwwroot). The only services running are E-mail, VPN and Outlook Mobile Access.

I also changed the account lockout feature to only allow 5 attempts before locking out the account for 10 minutes. I also found that our server was responding to pings. I turned that off as well.

Last night there were over 8,000 failed logon attempts. Below is a screen shot of my Server Performance Report. On a good note I was able to determine that PID=inetinfo.exe

Any more ideas?

Thanks,
Steve

 Server Report
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34981048
And still no Process ID 1600 showing on your server?
0
 

Author Comment

by:SteveB2515
ID: 34984270
Yes. I mentioned in my previous post that PID 1600=inetinfo.exe

Thanks
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34984448
Sorry - I missed that.  Been on holiday - so maybe too much Sangria!

Inetinfo suggests that the abusers are using port 25 to try and crack your username / passwords, which is exactly what my 2nd blog page is about (http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/)

Do you have users who send mail to your server externally from your offices using SMTP?
0
 

Author Comment

by:SteveB2515
ID: 34984614
I'm jealous. I want to go on holiday :)

Your blog was very good. I just disabled Basic & Integrated Windows Authentication on our server.

After doing a little more reading this morning on the internet blogs, I learned of one more thing I could do. I didn’t mention before that we were running a Barracuda Networks Spam & Virus Firewall. I have our DNS MX record pointing all incoming email there, and then after it is processed, the Barracuda sends it to our server. After digging around in the server I found that the virtual smtp server was still set to accept mail from any IP address. I changed that to only accept mail from the Barracuda IP and IP addresses within our LAN.

I’ll give it a few days to see if all that works, but I’m feeling pretty good about it.

Thanks for all your help!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34984721
Sorry - over in England with all our Grey weather - we need some sunshine!!

The Barracuda is a good Ace to have had up your sleeve ; )

The Authentication would have cut down the problem, but having a Barracuda to play with and restricting the IP's would be the final nail in the coffin (with that particular method of hacking).

Your Reports should be much happier now.

Alan
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Suggested Solutions

The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now