• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 244
  • Last Modified:

list of IP addresses that have tried to access our server?

Hi,

Our SBS 2003 seems to be under fairly constant attack with someone/persons trying to gain access by trying to brute force the Admin password.   I have spoken to our ISP today who have explained what access they can take.  I have obtained some of the IP addresses in question from the event logs however i was hoping someone would be able to tell me if there is anyway of easily viewing/gathering a list of all the IP addresses that have been trying to access our server so that I can forward this to our ISP for action.

Many thanks
0
SarahWH
Asked:
SarahWH
2 Solutions
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Consult your firewall logs.  Your Business class firewall should have the ability to log access.  Otherwise, the best you'll be able to do is export the event logs and/or review your IIS logs.
0
 
ormerodrutterCommented:
0
 
paulcCommented:
Assuming these are outside addresses I would first determine what ports they are trying to come in on and find out which ports are open on your router/firewall.  Close anything that doesn't need to be open.  Stuff like RDP should never be open.  

Blocking IPs is not going to work because they will just change addresses and keep attacking.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
SarahWHAuthor Commented:
Thanks for the advice so far....

The logs in the router look to be useful.... Not sure which aspect of mxtoolbox would be beneficial for me in this instance?

What is the best way of determining the ports?  Just by using the event viewer?
0
 
CNS_SupportCommented:
I would suggest that you look at the Port Forwards configured in your firewall router.  If you want to know what ports are open, you can use a tool on this website
http://www.grc.com  You are looking for Shields Up and you want to "probe my ports"
It will show you what ports are open and what is stealth.
If you must have RDP open, make sure you chane which port you use for it. (normally 3389 but you can just use a port forward from say 3391 and then port forward to 3389 internally or even create a VPN first and just use an internal IP)
Another step you could take is to change the Administrator name to something else.  Server access is a two fold step, username and password.  Nearly all servers have the username Administrator so they already have half of the equation.
The other thing I have found is a lot of the attacks are using IIS.  They are trying to authenticate against a web service.  It may even be mail based.  You will need to do some research in this area if that is the case.

Hope that is some help.

David
0
 
SarahWHAuthor Commented:
Hi David,

Thats a great help thank you and I shall definitely look into some of your suggestions.

I think I shall take the step of renaming the administrator account - is that as simple as just changing the Administrator Logon name under Administrator Properties or is it more complex than that?

I have already taken the step of disabling RDP as from research this will be a lot safer and as I am the only person to use this facility I shall live without it - its become less essential recently anyway.

I shall need to research regarding whether the attacks are using IIS as I do not know how to tell this currently.

Thanks again :)
0
 
Rob WilliamsCommented:
90% of the time attacks on SBS are through RDP by having port 3389 open. On an SBS there is no need to use 3389, you can use Remote Web Workplace, unique to SBS, which is far more secure and uses ports 443 and 4125. Hackers use port scanners. as soon as they see 3389 they know what service they need to use to mount their attack. With RWW/443 it could be one of many services and with RWW port 4125 is locked until a successful authentication is complete.
0
 
SarahWHAuthor Commented:
It will be very interesting then to see if the number of attacks are greatly reduced now that I have disabled 3389 (hope so!).  I will update this comment in a few days after I have had the opportunity to monitor the situation.

Thanks to all for the imput so far; it is much appreciated :)
0
 
CNS_SupportCommented:
To see where the attacks are comming from you can check the Security Log in Event Viewer
Start Run
Eventvwr
Then just browse through.  You are looking for Failure not Success.
RobWill is correct, you can just use Remote Web Workplace and it is indeed very secure.

David
0
 
SarahWHAuthor Commented:
Yes, that is where I have been looking to see where the attacks have been coming from - just wasnt sure if there was a quicker option than trawling through the failure logs individually.....

Thanks, Sarah
0
 
SarahWHAuthor Commented:
Thanks for all your input :)
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now