Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Dictionary Attack on SMB 2003

Posted on 2012-04-06
9
708 Views
Last Modified: 2012-04-19
Hello Experts,

My SMB has been under a UserName/Password guessing attack for several days now. They haven't gotten anywhere, I use strong passwords, but it's annoying. I've set the login threshold to 3 but that only caused them to change UserName more often. Can anyone suggest a way to blacklist the IP's automatically after 3 login attempts or some other way to stop this attack.

Thanks in advance,

JackW9653
0
Comment
Question by:JackW9653
9 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 167 total points
ID: 37817875
Blacklist the IP.  Any business class router should be able to do this easily.  If the SMB went cheap with a Linksys or some home class router, then you'll pretty much have to live with it, I think.
0
 

Author Comment

by:JackW9653
ID: 37817900
Thanks for the reply leew, I'll check the router but I put in a Cisco WRVS4404N Wireless Router last year so it should be up to the task.

Thanks again,

JackW9653
0
 
LVL 30

Assisted Solution

by:IanTh
IanTh earned 167 total points
ID: 37821057
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 166 total points
ID: 37824718
Hi.

Your SMB is under attack - server message block? If it's your SBS, then think about what ports are used for this attack and if those need to be open to the internet in the first place.
0
 

Author Comment

by:JackW9653
ID: 37834148
Sorry for the response lag but had a family issue. I'm still under attack here is a screen print from my event viewer:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Tom
       Domain:            
      Logon Type:      10
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      
       Caller User Name:      $
       Caller Domain:      
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      1396
       Transited Services:      -
       Source Network Address:      37.9.61.52
       Source Port:      1749

Each attack exhausts the login threshold (3 attempts per name) then switches to a new user name and port. As we all know there are thousands of ports and they are hopping from one to another. Also the Source Network Address changes as well.

I am not using ISA so is Group Policy the only was to manage the ports? And is there way to close ALL the ports and only open the ones I need?

As for setting up the Cisco Router to blacklist the IPs,  if I can find a way to do it through the server that will be my1st choice, but am reading through the Cisco manual in case I have to go that route.

Thanks for the insights and help so far.

JackW9653
0
 
LVL 54

Expert Comment

by:McKnife
ID: 37834619
And is there way to close ALL the ports and only open the ones I need?
Of course there is. But if not you, who should know what you need? What ports are open to the internet and for what reason?
0
 

Author Comment

by:JackW9653
ID: 37835444
McKnife,

I've ran NETSTAT with various options and see just a ton of open TCP ports, some ESTABLISHED, some LISTENING and a few CLOSE-WAIT. What now? I have Remote Desktop, Exchange, FTP, Internet Browsing. Those are about it for open to the Internet ports. Any suggestions forclosing the rest?

Thanks,

JackW9653
0
 
LVL 54

Expert Comment

by:McKnife
ID: 37835618
You have to feel "in charge", otherwise it's no use to start. It's no problem to have open ports as long as there is no one able to reach those who we don't want to. So again you have to start asking yourself how could that attack take place, what ports did we leave open to the internet and most of all for what purpose. Next step is what you are trying to do now: identify those additional unwanted open (to the internet) ports and see if we indeed need those to be opened,

If you can't answer step one, I cannot help you and urge you to pay some professional to take a look at it at your site. Really, be careful what you are doing.
0
 

Author Comment

by:JackW9653
ID: 37844169
I've used the Domain Security Setting to create rules for the server but again it slowed them down but they've started up again this morning. So how is the easiest way to close all the internet exposed, incoming ports excepting the ones I need?
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Set Folder Permissions to Prevent Move and Delete 1 39
web surfing slughish 4 39
HP Server The device, \Device\Harddisk1\DR5, has a bad block. 5 54
Dell R710 raid config 9 54
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question