Solved

Need To Block IP Address

Posted on 2011-03-23
17
1,496 Views
Last Modified: 2012-06-27
I just received my Server Performance Report to find that a certain unknown
IP address has attempted to log in as Administrator some 849 times. I am
pretty certain that they did not succeed but how do I block that IP address
from being served anything from my server?

I am using Small Business Server 2003 Premium with all current security
updates.

Thank you.

0
Comment
Question by:csk2512
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +1
17 Comments
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35197827
You can block them on your Router / Firewall assuming you have the option to do so, but it may be worth working out why or what process they are trying to access.

What ports do you have open on your firewall?

Do you have RDP (TCP Port 3389) open?  You shouldn't have - it is very dangerous.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35197840
0
 

Author Comment

by:csk2512
ID: 35198042
We don't have a hardware firewall. We are using ISA 2004. How do I check what Ports are open? Is there a way to just add addresses to block iin ISA as I see them on the Performance report? And if so how? We have (2) NIC setup with DSL modem for internet.
0
Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35198180
I don't know ISA as a product, so can't advise you specifically.  I have added the question to the ISA zone, so hopefully an ISA expert can assist you with the specifics.

You can check what ports are open on www.canyouseeme.org - type in a port number e.g., 3389 and see if you get SUCCESS as a response.
0
 

Author Comment

by:csk2512
ID: 35198214
I did get success as a response using www.canyouseeme.org for port 3389.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35198301
Okay - that is not a good idea to have open unless it is restricted.  Hackers will be probing the internet for computers that respond on that port and will latch onto it and try to hack your server.
0
 

Author Comment

by:csk2512
ID: 35198390
We are using the SBS 2003 remote desktop connection to allow certain users to access from home. If blocking port 3389 will not cause a problem, then how do we block that port?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35198433
Remote Web Workplace uses a different port (TCP Port 4125) and should allow remote desktop access.

Port 3389 usually goes direct to the server and is Very Dangerous.  Ideally it should be closed off or restricted to the IT Admin's home IP's.
0
 

Author Comment

by:csk2512
ID: 35198497
We also use Outlook Web Access. How do you close off Port 3389?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35198552
OWA uses TCP Port 443.

You would need to check the ISA rules and either disable the RDP (TCP Port 3389) rule or delete it.
0
 
LVL 22

Assisted Solution

by:Larry Struckmeyer MVP
Larry Struckmeyer MVP earned 45 total points
ID: 35199900
ISA does not enable 3389 automatically.  Someone, probably a remote support or previous admin has opened 3389 by creating a rule.  From the ISA managment console, found in Start - programs, open the ISA firewall rules and see if you can id that rule.  If so, you can restrict it to the IP of the remote support person, or you can disable it.  This should not affect any other service on the SBS.

Oh, and I can't do this from memory, so run through the CEICW again and see if RDP or Remote Access or 3389 is ticked in any of the services to be allowed screens.  Do this first.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 181 total points
ID: 35208026
Dudes! Look!
If you don't go out of your way to allow something on ISA,....it is already denied!!!

ISA does not "allow everything" until you tell it not to,...the opposite is true.  However, yes, SBS does have a lot of Allow Rules, but even then you can simply read what they are and know what they do.

Go back to the beginning here. Look at the entries that were denied.  What are they really? You cannot just "log in" with an Admin account to "nothing",...you have to login to "something".   So,..Denied connection attempts?  Failed OWA Logins?  Failed RWW Attempts?  Failed what?

You also can not make hackers disappear,...you cannot make them stop trying,...you cannot keep blocking meaningless IP#s that do not belong to, nor identify a hacker, due to spooking, hyjacking, or even simple NATing,..all of which make focusing on the source IP to be meaningless.   All you can really do is make their attempts fail,...and from what I can see,...you already are.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 181 total points
ID: 35208069
If I was really wanting to break into your system I would do it through an infection on one or your internal machines that phoned home to momma.  It would be outbound initiated traffic from the inside of your LAN coming outbound to me and none or your inbound blocking attempts would mean anything.
0
 

Author Comment

by:csk2512
ID: 35208126
This is a copy of the error:
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      Administrator
       Domain:      XXXXXXXXXXXXXX
       Logon Type:      10
       Logon Process:      User32
       Authentication Package:      Negotiate
       Workstation Name:      XXXXXXXXXXXXXXX
       Caller User Name:      XXXXXXXXXXXXXX$
       Caller Domain:      XXXXXXXXXXXXX
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      10676
       Transited Services:      -
       Source Network Address:      175.136.242.102
       Source Port:      2042
0
 
LVL 29

Accepted Solution

by:
pwindell earned 181 total points
ID: 35208317
If it truely came from 175.136.242.102 then it had to come through the ISA from the outside,...which means it came through a Publishing Rule,...which means there is a Publishing Rule that is specifically set to that particular workstation as the Target.  It would be hard to miss a Rule such as that and you would have had to create it on purpose.   I really doubt there is such a Rule, so that isn't much point in pursuing that path.

The other alternative is that there is an infection on that particular workstation where it is making the connection outbound to an external location.  Once that connection is made then the Auth Attempt is comming over that established outbound connection.  This is no different than how things like WebEx, GotoMyPC, LogMeIn, Chat Tools, Instant Messengers, Slingbox,...or dozens and dozens of other things work.  You solution is to clean up that workstation (or whatever the machine is) with some solid scanning tools or AV software.  Malwarebytes is my personal favorite of the "free" ones.  You also need to inventory the machine to make sure you remove anything that some other user may have intensionally installed on it without knowing it was something potentially "bad".
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 181 total points
ID: 35208341
I try to run a "tight ship" here,...and still two days ago,...I cleaned up a Non-Linear Editor (running on XP) that had 96 infections.
0

Featured Post

RoboForm Secure Password Management System

RoboForm Everywhere - Superb Browser Support
Windows / Apple / IOS / Android / Linux / Chrome OS
Use different complex passwords everywhere
Best Secure Password Management by far
Synchronize all of your devices instantly
Safe, Secure & Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Behavior-based and anomalies detection for Trend Micro 2 53
Moving on from sbs 2008... 36 130
SBS 2008 active sync issue 2 43
wannacrypt movement 9 51
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question