Blue Street Tech
asked on
1,708 failed logins attacks from Russia, China, & Iran
I noticed 1,708 failed logins attacks from Russia (95.9.86.199 & 46.0.127.152), China (111.175.39.224) & Iran (78.39.217.212) in the Security Logs since 9/8/11 at 9:59 pm up to present.
How are they able to knock on the door? Firewall should be denying them before hitting the server? What types of countermeasures should I initiate?
Microsoft SBS2k3 Security Best Practices was followed, except for renaming all admin accounts, which was just done this morning (http://technet.microsoft.com/en-us/library/cc747484(WS.10).aspx). I have noticed RealVNC on several machines that were installed by our software vendor for remote support. Shares were already all locked down. Changed the LAN IP addresses for everything: firewall gateways (WLAN & LAN), server, all reservations, and devices. Passwords do not expire but do meet the Best Practices listed above: complexity, length, lockout policy (60m, 4, 60m).
The environment:
(1) SBS 2k3, SP2, domain – all patched.
(25) Windows XP, SP3 – 60% patched. The 40% may need the most recent patches only.
(1) SonicWALL TZ 170 w/CGSS (Comprehensive Gateway Security Suite).
ESET Business ERAC – all def. current/no infections.
SuperAntiSpyware – all def. current/no infections.
IPs logged:
78.39.217.212 - Iran
95.9.86.199 & 46.0.127.152 - Russia
111.175.39.224 - China
Ports:
1638, 2655, 2793, 2766, 2738, 2606, 2581, 7077, etc.
Example attack below:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/9/2011
Time: 2:07:06 AM
User: NT AUTHORITY\SYSTEM
Computer: Server3
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: server
Domain: theDomain
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: Server3
Caller User Name: Server3$
Caller Domain: theDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6356
Transited Services: -
Source Network Address: 95.9.86.199
Source Port: 2655
How are they able to knock on the door? Firewall should be denying them before hitting the server? What types of countermeasures should I initiate?
Microsoft SBS2k3 Security Best Practices was followed, except for renaming all admin accounts, which was just done this morning (http://technet.microsoft.com/en-us/library/cc747484(WS.10).aspx). I have noticed RealVNC on several machines that were installed by our software vendor for remote support. Shares were already all locked down. Changed the LAN IP addresses for everything: firewall gateways (WLAN & LAN), server, all reservations, and devices. Passwords do not expire but do meet the Best Practices listed above: complexity, length, lockout policy (60m, 4, 60m).
The environment:
(1) SBS 2k3, SP2, domain – all patched.
(25) Windows XP, SP3 – 60% patched. The 40% may need the most recent patches only.
(1) SonicWALL TZ 170 w/CGSS (Comprehensive Gateway Security Suite).
ESET Business ERAC – all def. current/no infections.
SuperAntiSpyware – all def. current/no infections.
IPs logged:
78.39.217.212 - Iran
95.9.86.199 & 46.0.127.152 - Russia
111.175.39.224 - China
Ports:
1638, 2655, 2793, 2766, 2738, 2606, 2581, 7077, etc.
Example attack below:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 9/9/2011
Time: 2:07:06 AM
User: NT AUTHORITY\SYSTEM
Computer: Server3
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: server
Domain: theDomain
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: Server3
Caller User Name: Server3$
Caller Domain: theDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 6356
Transited Services: -
Source Network Address: 95.9.86.199
Source Port: 2655
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm in agreement with suggestions here. What ports are open on your sonicwall WAN > LAN? Also, you might consider looking internally as well. Do you have any devices that might be infected with malicious software giving your network a backdoor? If you have an infected machine then it's possible several hundred or thousand connections are being created LAN > WAN. You can determine this by going to Firewall > Connections or System > Diagnostics > Connections. Whatever devices it is, I'd disconnect it from the network and sanitize it.
ASKER
@ALL: Thanks for your quick responses! Checking access rules now. I will post findings shortly.
ASKER
@amatson78: Yes, FW has the most recent firmware. Agreed it’s old. :( Time for new gear!
@RobWill: I uninstalled 10 Real VNC isntallations – once I did that on top of deleting TS access. The log cleared up.
@digitap: Thanks! I checked the connection monitor - nothing out of the ordinary LAN > WAN.
@ALL: Wow! We had someone working on the FW three days ago and must have enabled TS (*,192.168.0.1 (LAN),Terminal Services, Allow), cause it was enabled. This was an old rule that should have been deleted not disabled. VPN is exclusively used before TS in this envir. Thanks! Sometimes the most obvious is the most overlooked. I didn’t even check the access rules because “I knew” there was no open ports left to be slaughtered. Lol. :p Thanks again!
@RobWill: I uninstalled 10 Real VNC isntallations – once I did that on top of deleting TS access. The log cleared up.
@digitap: Thanks! I checked the connection monitor - nothing out of the ordinary LAN > WAN.
@ALL: Wow! We had someone working on the FW three days ago and must have enabled TS (*,192.168.0.1 (LAN),Terminal Services, Allow), cause it was enabled. This was an old rule that should have been deleted not disabled. VPN is exclusively used before TS in this envir. Thanks! Sometimes the most obvious is the most overlooked. I didn’t even check the access rules because “I knew” there was no open ports left to be slaughtered. Lol. :p Thanks again!
ASKER
I am awarding points based on first responders, so nativevlan: for suggesting removal of TS (3389) access and RobWill: for suggesting disabling RealVNC installations. Let me know if anyone feels otherwise.
Harden your network and you should be OK from most threats.