Solved

1,708 failed logins attacks from Russia, China, & Iran

Posted on 2011-09-09
7
926 Views
Last Modified: 2012-05-12
I noticed 1,708 failed logins attacks from Russia (95.9.86.199 & 46.0.127.152), China (111.175.39.224) & Iran (78.39.217.212) in the Security Logs since 9/8/11 at 9:59 pm up to present.

How are they able to knock on the door? Firewall should be denying them before hitting the server? What types of countermeasures should I initiate?

Microsoft SBS2k3 Security Best Practices was followed, except for renaming all admin accounts, which was just done this morning (http://technet.microsoft.com/en-us/library/cc747484(WS.10).aspx). I have noticed RealVNC on several machines that were installed by our software vendor for remote support. Shares were already all locked down. Changed the LAN IP addresses for everything: firewall gateways (WLAN & LAN), server, all reservations, and devices. Passwords do not expire but do meet the Best Practices listed above: complexity, length, lockout policy (60m, 4, 60m).

The environment:
(1) SBS 2k3, SP2, domain – all patched.
(25) Windows XP, SP3 – 60% patched. The 40% may need the most recent patches only.
(1) SonicWALL TZ 170 w/CGSS (Comprehensive Gateway Security Suite).
ESET Business ERAC – all def. current/no infections.
SuperAntiSpyware – all def. current/no infections.

IPs logged:
78.39.217.212 - Iran
95.9.86.199 & 46.0.127.152 - Russia
111.175.39.224 - China

Ports:
1638, 2655, 2793, 2766, 2738, 2606, 2581, 7077, etc.

Example attack below:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            9/9/2011
Time:            2:07:06 AM
User:            NT AUTHORITY\SYSTEM
Computer:      Server3
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      server
       Domain:            theDomain
       Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      Server3
       Caller User Name:      Server3$
       Caller Domain:      theDomain
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6356
       Transited Services:      -
       Source Network Address:      95.9.86.199
       Source Port:      2655
0
Comment
Question by:diverseit
7 Comments
 
LVL 6

Accepted Solution

by:
nativevlan earned 250 total points
ID: 36512771
It sounds like your firewall is not blocking the login attempts.  Reconfigure the firewall block all traffic that is destined for 3389 incoming, unless you need RDP from the internet from certain hosts for some reason. In that case allow only the required IP addresses inbound over RDP.
0
 
LVL 8

Expert Comment

by:amatson78
ID: 36512885
There is deffintly something not going right with the firewall, are you running the latest firmware for the TZ 170? I believe it is 4.2.1.3 if you are on SonicOS Enhanced. I would as the other user lock down and un-needed ports from outside access. Also place sensitive servers on the guarded LAN and place public facing servers in a DMZ with controlled access. The TZ 170 is an outdated device and does not stand up well against newer more sophisticated attacks. The newer models (NSA series) on firmware 5.8.1 now have a feature to block based on Geo-Location so you can block IPs from specific countries such as Iran, Russia, etc.

Harden your network and you should be OK from most threats.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 250 total points
ID: 36513062
>>" have noticed RealVNC on several machines "
Real VNC is very unsecure.

90% of these types of attacks are done through Remote Desktop. Is port 3389 open? In an SBS environment there is no need. Using RWW is much more secure using ports 443 & 4125
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 33

Expert Comment

by:digitap
ID: 36513147
I'm in agreement with suggestions here. What ports are open on your sonicwall WAN > LAN? Also, you might consider looking internally as well. Do you have any devices that might be infected with malicious software giving your network a backdoor? If you have an infected machine then it's possible several hundred or thousand connections are being created LAN > WAN. You can determine this by going to Firewall > Connections or System > Diagnostics > Connections. Whatever devices it is, I'd disconnect it from the network and sanitize it.
0
 
LVL 24

Author Comment

by:diverseit
ID: 36513184
@ALL: Thanks for your quick responses! Checking access rules now. I will post findings shortly.
0
 
LVL 24

Author Comment

by:diverseit
ID: 36514399
@amatson78: Yes, FW has the most recent firmware. Agreed it’s old.  :(  Time for new gear!

@RobWill: I uninstalled 10 Real VNC isntallations – once I did that on top of deleting TS access. The log cleared up.

@digitap: Thanks! I checked the connection monitor - nothing out of the ordinary LAN > WAN.

@ALL: Wow! We had someone working on the FW three days ago and must have enabled TS (*,192.168.0.1 (LAN),Terminal Services, Allow), cause it was enabled. This was an old rule that should have been deleted not disabled. VPN is exclusively used before TS in this envir. Thanks! Sometimes the most obvious is the most overlooked. I didn’t even check the access rules because “I knew” there was no open ports left to be slaughtered. Lol. :p Thanks again!
0
 
LVL 24

Author Closing Comment

by:diverseit
ID: 36514407
I am awarding points based on first responders, so nativevlan: for suggesting removal of TS (3389) access and RobWill: for suggesting disabling RealVNC installations. Let me know if anyone feels otherwise.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now