I noticed 1,708 failed logins attacks from Russia (18.104.22.168 & 22.214.171.124), China (126.96.36.199) & Iran (188.8.131.52) in the Security Logs since 9/8/11 at 9:59 pm up to present.
How are they able to knock on the door? Firewall should be denying them before hitting the server? What types of countermeasures should I initiate?
Microsoft SBS2k3 Security Best Practices was followed, except for renaming all admin accounts, which was just done this morning (http://technet.microsoft.com/en-us/library/cc747484(WS.10).aspx
). I have noticed RealVNC on several machines that were installed by our software vendor for remote support. Shares were already all locked down. Changed the LAN IP addresses for everything: firewall gateways (WLAN & LAN), server, all reservations, and devices. Passwords do not expire but do meet the Best Practices listed above: complexity, length, lockout policy (60m, 4, 60m).
(1) SBS 2k3, SP2, domain – all patched.
(25) Windows XP, SP3 – 60% patched. The 40% may need the most recent patches only.
(1) SonicWALL TZ 170 w/CGSS (Comprehensive Gateway Security Suite).
ESET Business ERAC – all def. current/no infections.
SuperAntiSpyware – all def. current/no infections.
184.108.40.206 - Iran
220.127.116.11 & 18.104.22.168 - Russia
22.214.171.124 - China
1638, 2655, 2793, 2766, 2738, 2606, 2581, 7077, etc.
Example attack below:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Time: 2:07:06 AM
User: NT AUTHORITY\SYSTEM
Reason: Unknown user name or bad password
User Name: server
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: Server3
Caller User Name: Server3$
Caller Domain: theDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6356
Transited Services: -
Source Network Address: 126.96.36.199
Source Port: 2655