Dictionary Attack on SMB 2003
Hello Experts,
My SMB has been under a UserName/Password guessing attack for several days now. They haven't gotten anywhere, I use strong passwords, but it's annoying. I've set the login threshold to 3 but that only caused them to change UserName more often. Can anyone suggest a way to blacklist the IP's automatically after 3 login attempts or some other way to stop this attack.
Thanks in advance,
JackW9653
My SMB has been under a UserName/Password guessing attack for several days now. They haven't gotten anywhere, I use strong passwords, but it's annoying. I've set the login threshold to 3 but that only caused them to change UserName more often. Can anyone suggest a way to blacklist the IP's automatically after 3 login attempts or some other way to stop this attack.
Thanks in advance,
JackW9653
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry for the response lag but had a family issue. I'm still under attack here is a screen print from my event viewer:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Tom
Domain:
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name:
Caller User Name: $
Caller Domain:
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1396
Transited Services: -
Source Network Address: 37.9.61.52
Source Port: 1749
Each attack exhausts the login threshold (3 attempts per name) then switches to a new user name and port. As we all know there are thousands of ports and they are hopping from one to another. Also the Source Network Address changes as well.
I am not using ISA so is Group Policy the only was to manage the ports? And is there way to close ALL the ports and only open the ones I need?
As for setting up the Cisco Router to blacklist the IPs, if I can find a way to do it through the server that will be my1st choice, but am reading through the Cisco manual in case I have to go that route.
Thanks for the insights and help so far.
JackW9653
Logon Failure:
Reason: Unknown user name or bad password
User Name: Tom
Domain:
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name:
Caller User Name: $
Caller Domain:
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1396
Transited Services: -
Source Network Address: 37.9.61.52
Source Port: 1749
Each attack exhausts the login threshold (3 attempts per name) then switches to a new user name and port. As we all know there are thousands of ports and they are hopping from one to another. Also the Source Network Address changes as well.
I am not using ISA so is Group Policy the only was to manage the ports? And is there way to close ALL the ports and only open the ones I need?
As for setting up the Cisco Router to blacklist the IPs, if I can find a way to do it through the server that will be my1st choice, but am reading through the Cisco manual in case I have to go that route.
Thanks for the insights and help so far.
JackW9653
And is there way to close ALL the ports and only open the ones I need?Of course there is. But if not you, who should know what you need? What ports are open to the internet and for what reason?
ASKER
McKnife,
I've ran NETSTAT with various options and see just a ton of open TCP ports, some ESTABLISHED, some LISTENING and a few CLOSE-WAIT. What now? I have Remote Desktop, Exchange, FTP, Internet Browsing. Those are about it for open to the Internet ports. Any suggestions forclosing the rest?
Thanks,
JackW9653
I've ran NETSTAT with various options and see just a ton of open TCP ports, some ESTABLISHED, some LISTENING and a few CLOSE-WAIT. What now? I have Remote Desktop, Exchange, FTP, Internet Browsing. Those are about it for open to the Internet ports. Any suggestions forclosing the rest?
Thanks,
JackW9653
You have to feel "in charge", otherwise it's no use to start. It's no problem to have open ports as long as there is no one able to reach those who we don't want to. So again you have to start asking yourself how could that attack take place, what ports did we leave open to the internet and most of all for what purpose. Next step is what you are trying to do now: identify those additional unwanted open (to the internet) ports and see if we indeed need those to be opened,
If you can't answer step one, I cannot help you and urge you to pay some professional to take a look at it at your site. Really, be careful what you are doing.
If you can't answer step one, I cannot help you and urge you to pay some professional to take a look at it at your site. Really, be careful what you are doing.
ASKER
I've used the Domain Security Setting to create rules for the server but again it slowed them down but they've started up again this morning. So how is the easiest way to close all the internet exposed, incoming ports excepting the ones I need?
ASKER
Thanks again,
JackW9653