Solved

Need To Block IP Address

Posted on 2011-03-23
17
1,486 Views
Last Modified: 2012-06-27
I just received my Server Performance Report to find that a certain unknown
IP address has attempted to log in as Administrator some 849 times. I am
pretty certain that they did not succeed but how do I block that IP address
from being served anything from my server?

I am using Small Business Server 2003 Premium with all current security
updates.

Thank you.

0
Comment
Question by:csk2512
  • 6
  • 5
  • 4
  • +1
17 Comments
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35197827
You can block them on your Router / Firewall assuming you have the option to do so, but it may be worth working out why or what process they are trying to access.

What ports do you have open on your firewall?

Do you have RDP (TCP Port 3389) open?  You shouldn't have - it is very dangerous.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35197840
0
 

Author Comment

by:csk2512
ID: 35198042
We don't have a hardware firewall. We are using ISA 2004. How do I check what Ports are open? Is there a way to just add addresses to block iin ISA as I see them on the Performance report? And if so how? We have (2) NIC setup with DSL modem for internet.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35198180
I don't know ISA as a product, so can't advise you specifically.  I have added the question to the ISA zone, so hopefully an ISA expert can assist you with the specifics.

You can check what ports are open on www.canyouseeme.org - type in a port number e.g., 3389 and see if you get SUCCESS as a response.
0
 

Author Comment

by:csk2512
ID: 35198214
I did get success as a response using www.canyouseeme.org for port 3389.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35198301
Okay - that is not a good idea to have open unless it is restricted.  Hackers will be probing the internet for computers that respond on that port and will latch onto it and try to hack your server.
0
 

Author Comment

by:csk2512
ID: 35198390
We are using the SBS 2003 remote desktop connection to allow certain users to access from home. If blocking port 3389 will not cause a problem, then how do we block that port?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35198433
Remote Web Workplace uses a different port (TCP Port 4125) and should allow remote desktop access.

Port 3389 usually goes direct to the server and is Very Dangerous.  Ideally it should be closed off or restricted to the IT Admin's home IP's.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:csk2512
ID: 35198497
We also use Outlook Web Access. How do you close off Port 3389?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 274 total points
ID: 35198552
OWA uses TCP Port 443.

You would need to check the ISA rules and either disable the RDP (TCP Port 3389) rule or delete it.
0
 
LVL 21

Assisted Solution

by:Larry Struckmeyer MVP
Larry Struckmeyer MVP earned 45 total points
ID: 35199900
ISA does not enable 3389 automatically.  Someone, probably a remote support or previous admin has opened 3389 by creating a rule.  From the ISA managment console, found in Start - programs, open the ISA firewall rules and see if you can id that rule.  If so, you can restrict it to the IP of the remote support person, or you can disable it.  This should not affect any other service on the SBS.

Oh, and I can't do this from memory, so run through the CEICW again and see if RDP or Remote Access or 3389 is ticked in any of the services to be allowed screens.  Do this first.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 181 total points
ID: 35208026
Dudes! Look!
If you don't go out of your way to allow something on ISA,....it is already denied!!!

ISA does not "allow everything" until you tell it not to,...the opposite is true.  However, yes, SBS does have a lot of Allow Rules, but even then you can simply read what they are and know what they do.

Go back to the beginning here. Look at the entries that were denied.  What are they really? You cannot just "log in" with an Admin account to "nothing",...you have to login to "something".   So,..Denied connection attempts?  Failed OWA Logins?  Failed RWW Attempts?  Failed what?

You also can not make hackers disappear,...you cannot make them stop trying,...you cannot keep blocking meaningless IP#s that do not belong to, nor identify a hacker, due to spooking, hyjacking, or even simple NATing,..all of which make focusing on the source IP to be meaningless.   All you can really do is make their attempts fail,...and from what I can see,...you already are.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 181 total points
ID: 35208069
If I was really wanting to break into your system I would do it through an infection on one or your internal machines that phoned home to momma.  It would be outbound initiated traffic from the inside of your LAN coming outbound to me and none or your inbound blocking attempts would mean anything.
0
 

Author Comment

by:csk2512
ID: 35208126
This is a copy of the error:
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      Administrator
       Domain:      XXXXXXXXXXXXXX
       Logon Type:      10
       Logon Process:      User32
       Authentication Package:      Negotiate
       Workstation Name:      XXXXXXXXXXXXXXX
       Caller User Name:      XXXXXXXXXXXXXX$
       Caller Domain:      XXXXXXXXXXXXX
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      10676
       Transited Services:      -
       Source Network Address:      175.136.242.102
       Source Port:      2042
0
 
LVL 29

Accepted Solution

by:
pwindell earned 181 total points
ID: 35208317
If it truely came from 175.136.242.102 then it had to come through the ISA from the outside,...which means it came through a Publishing Rule,...which means there is a Publishing Rule that is specifically set to that particular workstation as the Target.  It would be hard to miss a Rule such as that and you would have had to create it on purpose.   I really doubt there is such a Rule, so that isn't much point in pursuing that path.

The other alternative is that there is an infection on that particular workstation where it is making the connection outbound to an external location.  Once that connection is made then the Auth Attempt is comming over that established outbound connection.  This is no different than how things like WebEx, GotoMyPC, LogMeIn, Chat Tools, Instant Messengers, Slingbox,...or dozens and dozens of other things work.  You solution is to clean up that workstation (or whatever the machine is) with some solid scanning tools or AV software.  Malwarebytes is my personal favorite of the "free" ones.  You also need to inventory the machine to make sure you remove anything that some other user may have intensionally installed on it without knowing it was something potentially "bad".
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 181 total points
ID: 35208341
I try to run a "tight ship" here,...and still two days ago,...I cleaned up a Non-Linear Editor (running on XP) that had 96 infections.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now