Link to home
Start Free TrialLog in
Avatar of SarahWH
SarahWHFlag for United Kingdom of Great Britain and Northern Ireland

asked on

list of IP addresses that have tried to access our server?

Hi,

Our SBS 2003 seems to be under fairly constant attack with someone/persons trying to gain access by trying to brute force the Admin password.   I have spoken to our ISP today who have explained what access they can take.  I have obtained some of the IP addresses in question from the event logs however i was hoping someone would be able to tell me if there is anyway of easily viewing/gathering a list of all the IP addresses that have been trying to access our server so that I can forward this to our ISP for action.

Many thanks
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Consult your firewall logs.  Your Business class firewall should have the ability to log access.  Otherwise, the best you'll be able to do is export the event logs and/or review your IIS logs.
Avatar of Paul Coffey
Paul Coffey

Assuming these are outside addresses I would first determine what ports they are trying to come in on and find out which ports are open on your router/firewall.  Close anything that doesn't need to be open.  Stuff like RDP should never be open.  

Blocking IPs is not going to work because they will just change addresses and keep attacking.
Avatar of SarahWH

ASKER

Thanks for the advice so far....

The logs in the router look to be useful.... Not sure which aspect of mxtoolbox would be beneficial for me in this instance?

What is the best way of determining the ports?  Just by using the event viewer?
ASKER CERTIFIED SOLUTION
Avatar of CNS_Support
CNS_Support

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SarahWH

ASKER

Hi David,

Thats a great help thank you and I shall definitely look into some of your suggestions.

I think I shall take the step of renaming the administrator account - is that as simple as just changing the Administrator Logon name under Administrator Properties or is it more complex than that?

I have already taken the step of disabling RDP as from research this will be a lot safer and as I am the only person to use this facility I shall live without it - its become less essential recently anyway.

I shall need to research regarding whether the attacks are using IIS as I do not know how to tell this currently.

Thanks again :)
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SarahWH

ASKER

It will be very interesting then to see if the number of attacks are greatly reduced now that I have disabled 3389 (hope so!).  I will update this comment in a few days after I have had the opportunity to monitor the situation.

Thanks to all for the imput so far; it is much appreciated :)
To see where the attacks are comming from you can check the Security Log in Event Viewer
Start Run
Eventvwr
Then just browse through.  You are looking for Failure not Success.
RobWill is correct, you can just use Remote Web Workplace and it is indeed very secure.

David
Avatar of SarahWH

ASKER

Yes, that is where I have been looking to see where the attacks have been coming from - just wasnt sure if there was a quicker option than trawling through the failure logs individually.....

Thanks, Sarah
Avatar of SarahWH

ASKER

Thanks for all your input :)