SarahWH
asked on
list of IP addresses that have tried to access our server?
Hi,
Our SBS 2003 seems to be under fairly constant attack with someone/persons trying to gain access by trying to brute force the Admin password. I have spoken to our ISP today who have explained what access they can take. I have obtained some of the IP addresses in question from the event logs however i was hoping someone would be able to tell me if there is anyway of easily viewing/gathering a list of all the IP addresses that have been trying to access our server so that I can forward this to our ISP for action.
Many thanks
Our SBS 2003 seems to be under fairly constant attack with someone/persons trying to gain access by trying to brute force the Admin password. I have spoken to our ISP today who have explained what access they can take. I have obtained some of the IP addresses in question from the event logs however i was hoping someone would be able to tell me if there is anyway of easily viewing/gathering a list of all the IP addresses that have been trying to access our server so that I can forward this to our ISP for action.
Many thanks
Consult your firewall logs. Your Business class firewall should have the ability to log access. Otherwise, the best you'll be able to do is export the event logs and/or review your IIS logs.
http://www.mxtoolbox.com/SuperTool.aspx
Try this website.
Try this website.
Assuming these are outside addresses I would first determine what ports they are trying to come in on and find out which ports are open on your router/firewall. Close anything that doesn't need to be open. Stuff like RDP should never be open.
Blocking IPs is not going to work because they will just change addresses and keep attacking.
Blocking IPs is not going to work because they will just change addresses and keep attacking.
ASKER
Thanks for the advice so far....
The logs in the router look to be useful.... Not sure which aspect of mxtoolbox would be beneficial for me in this instance?
What is the best way of determining the ports? Just by using the event viewer?
The logs in the router look to be useful.... Not sure which aspect of mxtoolbox would be beneficial for me in this instance?
What is the best way of determining the ports? Just by using the event viewer?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi David,
Thats a great help thank you and I shall definitely look into some of your suggestions.
I think I shall take the step of renaming the administrator account - is that as simple as just changing the Administrator Logon name under Administrator Properties or is it more complex than that?
I have already taken the step of disabling RDP as from research this will be a lot safer and as I am the only person to use this facility I shall live without it - its become less essential recently anyway.
I shall need to research regarding whether the attacks are using IIS as I do not know how to tell this currently.
Thanks again :)
Thats a great help thank you and I shall definitely look into some of your suggestions.
I think I shall take the step of renaming the administrator account - is that as simple as just changing the Administrator Logon name under Administrator Properties or is it more complex than that?
I have already taken the step of disabling RDP as from research this will be a lot safer and as I am the only person to use this facility I shall live without it - its become less essential recently anyway.
I shall need to research regarding whether the attacks are using IIS as I do not know how to tell this currently.
Thanks again :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It will be very interesting then to see if the number of attacks are greatly reduced now that I have disabled 3389 (hope so!). I will update this comment in a few days after I have had the opportunity to monitor the situation.
Thanks to all for the imput so far; it is much appreciated :)
Thanks to all for the imput so far; it is much appreciated :)
To see where the attacks are comming from you can check the Security Log in Event Viewer
Start Run
Eventvwr
Then just browse through. You are looking for Failure not Success.
RobWill is correct, you can just use Remote Web Workplace and it is indeed very secure.
David
Start Run
Eventvwr
Then just browse through. You are looking for Failure not Success.
RobWill is correct, you can just use Remote Web Workplace and it is indeed very secure.
David
ASKER
Yes, that is where I have been looking to see where the attacks have been coming from - just wasnt sure if there was a quicker option than trawling through the failure logs individually.....
Thanks, Sarah
Thanks, Sarah
ASKER
Thanks for all your input :)