Super annoying hacker trying to remote into our server all the time

Dear Experts,

Someone is continuously trying to log in to our computer remotely. We've changed our ip several times and then it will stop for a time, and then start up again at some random point in the future. I know this because if you open up the Terminal Services Manager and just leave it open you can see that it'll come up and say RDP-Tcp#7221 for example, and the processes will just show the winlogin. Then a second or two later, they'll drop out, and a new connection will be opened with the number incremented to like #7222 for example, and they'll try again. And this goes on and on. Then there are periods where nothing happens for awhile and then at some point they start trying to log in again.

I think they might be coming from different IPs too, because when I block the address I think it's coming in from on the router (I may not be doing this right though) suddenly a new address pops up originating in Mexico or something and then they come in from that IP instead. So I don't think blocking the IP is the answer..

What I think is happening is they just keep trying different user names and passwords, and their goal is to eventually get administrative access into our system so they can try to steal our files and sensitive stuff.

What can I do to stop these people for good? What steps can I take to determine who they are and where they're coming from?


Thanks!
Jeffrey
JeffreyDurhamAsked:
Who is Participating?
 
IT-Monkey-DaveCommented:
This is a common issue with FTP servers too.  I used to have our FTP locked down to "invitation only".  Legit outside users had to provide me with their IP address so I could open a hole in the firewall.  But the powers that be found this to be too bothersome and I was instructed to allow any connections.  I ended up switching to FileZilla Server and use its  AutoBan feature: If there are 10 consecutive failed logins from the same IP, that IP is banned for 999 hours.

The sheer number of hacking attempts can be reduced if you do not publish a DNS entry for the particular IP.  That is, legit outsiders must know the IP.  But you may never get rid of this stuff completely.
0
 
meko72Commented:
I had the same problem. I have blocked entire IP blocks but that doesnt help. I renamed the administrator account and also made a Group policy to lockout the user names after five unsuccesfull attempts.
0
 
ACECORPCommented:
I would recommend not opening up RDP to the outside.

If you are short on funds and need to deploy a low cost security solution, you may want to use a firewall appliance that has SSL VPN.

Make your vendors first log into SSL VPN, and then once they are logged in via SSL VPN, they can connect to your RDP Servers.

The benefit of doing this via firewall is that the firewall can analyze and detect the hacker traffic as "hacker traffic" and automatically block them.

CISCO ASA or Watchguard makes good appliances with these features.

Watchguard appliances have a great GUI (much better than CISCO) that is very clean and simple to use, even for a non technical user.

CISCO is very good also. Either of those firewalls offer an SSL VPN option. If you already have one of them or have a different firewall brand, chances are they have an SSL VPN option too.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
IT-Monkey-DaveCommented:
If you have ISA or Forefront or something similar, you could probably use it to better secure the public server.
0
 
JeffreyDurhamAuthor Commented:
IT-Monkey-Dave.. I also wanted to just set it up to only allow certain ips, but same thing, my boss doesn't really want to go through that much trouble.. :) I'm thinking the auto-ban feature is a good idea, but that sounds like it's specific to your program. But that's the right idea..

Meko72, I like the idea of setting up a group policy like you're saying, how should I go about this? I have windows server 2003 and we're using a Linksys Cisco router..

Also, does anyone know of a way I can see what user names and password this person is trying to use? I want to know more about what they're doing specifically..
0
 
ACECORPCommented:
Check the security log on the server or Install OSSEC in your environment and load an agent on the server you need to monitor (www.ossec.net)

OSSEC is Free.
0
 
ACECORPCommented:
Also, what brand of firewall are you using?

Is it an external appliance?

If you are not using a firewall, you might wan to show your boss some information on the kind of liability and or legal ramifications that you could find yourself in by not having adiquite security.

If you get hacked, your company might be embarassed by being listed here http://www.privacyrights.org/data-breach
0
 
JeffreyDurhamAuthor Commented:
ACECORP,

We are using the firewall that comes with our router. According to it, it's a:
  10/100 8-port VPN Router,  RV082,  Firmware Version: 2.0.0.19-tm

It's a Linksys router, and it's software is by cisco.

I might check the OSSEC eventually, right now I gotta work on some other programs that are essential so I have to come back to it.

I was looking at the "computer management" app, under the system tools->event viewer->Security, because I think that's what the logs are for the remoting. It's showing a bunch of events where the User is: ANONYMOUS LOGON, I would bet that that is the people trying to hack in.. they all say Success audit for the type, so I'm uncertain if that means they were actually able to log on. I was unaware there was even an option to logon anonymously, so I was kinda confused by that.

Thanks, Jeffrey
0
 
TymetwisterCommented:
Can you try changing the port number that allows for RDP?
0
 
pgm554Commented:
Been there done that,it's a bot that does port scanning and looks for open ports.

This goes on 24x7x365 for ALL public IP's,you just didn't realize it until you looked at your security logs.
0
 
ACECORPCommented:
To address the anonymous login problem, you need to restrict anonymous by making some changes to the configuration of your server.

Download Retina CS Free and Retina Network Free at http://www.eeye.com/products/retina/community 

Scan the server and correct the relevent vulnerabilities that it reports.

Follow the instructions in the report as it provides the steps to correct each issue.
0
 
JeffreyDurhamAuthor Commented:
ACECORP:

Ok I'm trying to install that now.. Kaspersky claims it's a virus, but I'm assuming that it is in fact, not a virus (hopefully), but just due to the nature of the code, the heuristics is catching..
0
 
JeffreyDurhamAuthor Commented:
ACECORP:

So that resulted in breaking the install, which resulted in breaking some of the dlls that access 2003 uses, which resulted in breaking everything.. so I'm not going to be able to run that on the server whatsoever.. ):
0
 
pgm554Commented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.