Hackers trying to log into my server

Posted on 2012-08-13
Last Modified: 2012-08-23
I setup a server on my network and forwarded the RDP, WWW, FTP, Telnet, and other ports to it from my router so i could log into it remotely as well as host all of my applications and webserver. As to be expected, my security event log is filled with people trying to log into my server as administrator, molly, and other random user names. I am confident my password is secure enough to hold any brute force attacks off for a while, but regardless i would like this to end quickly. When i set everything up i completely turned off the windows firewall as it was causing several problems, i am aware that i now need to turn it back on but i would like some guidance. What is the best practice or best/easiest solution for making sure i have RDP access to my machine as well as all of the hosted applications such as teamspeak 3 and a couple websites remain accessible to the world, yet prevent all of these unauthorized attempts to obtain access to my server?

I disabled the password complexity requirements on my AD domain which means they are not being locked out after 3 attempts. Although i could see how this would resolve the issue, it would also mean i would be locked out of my account constantly since they are continuously trying incorrect passwords correct?

Is there a way to be notified or sort through the filters when an external ip was able to logon to the server? I know i would see myself a lot, but would be nice to make sure there weren't any other successful attempts.
Question by:WillThomason

    Author Comment

    This is a windows server 2008 R2 box with all updates installed, FYI.
    LVL 31

    Assisted Solution

    Firewall should definitely be turned on. The Windows Server 2008 R2 built in "Firewall with advanced security" is sufficient, you just need to make sure you create exceptions for each inbound port you need the server to listen to. Windows automatically makes exceptions for some things - e.g. remote desktop - but other things like TeamSpeak you need to do it yourself.

    You can make an exception by going to start->firewall with advanced security->inbound rules->new rule...->[follow the wizard to make port-based exceptions]. When you get to the part where it asks when to apply the rule (To Public, Private or Domain networks), just do it for all three. Keeps things simple.

    The firewall applies both to access over the internet, AND to access from the local network. So once you have opened the ports on the server and you can access the services locally, you just need to forward the appropriate ports from your router to the server in order to open up access via the Internet.

    The windows firewall will not help with brute force attacks. Anything you forward from the router is vulnerable to brute force attacks, a firewall won't help you here since the ports need to be open to allow access - whether that access is authorized or not.

    You definitely should have an account lockout policy in place - this is your only completely reliable defense against brute force attacks.

    The simplest thing really for you to do is to NOT forward remote access services over the internet. Do NOT forward RDP, Telnet or FTP to your server through your router. These are easy targets and opening them up to the internet is an invitation to be attacked

    If you need remote access to your server, use something more sophisticated and secure that does not require special network configuration. My suggestion is use to administer the server.

    If you regularly need access to parts of your local network from the outside world (e.g. you really need FTP, or Telnet, or RDP into your server from the Internet, or heck even access to your router's config page), then setting up a VPN on the server through the "Routing and Remote Access" service is a good idea. The VPN becomes the single point of entry through your router into your network which you can keep secure. Once you connect to the VPN from the internet, you can access all local network resources by their local IP address and all communication - such as FTP - would be encrypted.

    Author Comment

    VPN may be my best option then. I have VPN setup now, it appears to use PPTP. Is this VPN secure and encrypted? I am afraid i am new to setting up VPN and the farthest i have gotten is installing the service and connecting to it from my phone or another computer. I read about SSTP but it appears i have to have certificates installed on all computers i use. I would like to be able to walk up to any pc that has RDP and be able to quickly access my computer.
    LVL 82

    Expert Comment

    by:Dave Baldwin
    Easy is the opposite of Secure.
    LVL 77

    Accepted Solution

    You break a lot of best practises for security your server in the name of 'making it easy'.  You made it easy for yourself and for every script kiddie in the world.

    I disabled the password complexity requirements on my AD domain which means they are not being locked out after 3 attempts.

    Password complexity and account lockout policy are 2 different items. Don't use builtin or other easy to guess accounts for your administrators. Jsmith-ea is easy for john smith to login to his enterprise administrator account.. Yet it is a lot more difficult for a hacker who is just guessing at names.. and of course using 'administrator' , 'domain administrator'  and other guesses.

    The vpn solution is a good idea and it is reasonably secure except that hackers will also try this route as well.

    I read about SSTP but it appears i have to have certificates installed on all computers i use. I would like to be able to walk up to any pc that has RDP and be able to quickly access my computer.

    If it is on your domain, then they are already secured.. Implementing an enterprise and a standalone certificate authority is not difficult.. and you can have computers / users automatically get certificates.
    LVL 6

    Expert Comment

    also disable ping, so outsiders looking to find machines dont get ping replies ...
    LVL 4

    Assisted Solution

    VPN is new door that needs to open before a hacker can try to access other services of your server. So Having VPN for RDP is a good idea.
    But brute force is one of the possible ways to enter in your server.
    The most serious one its through vulnerabilities (OS errors), keep in mind that your server is more secure when you log to it with least privileges possible. So create special accounts with very few privileges for each possible access that you able through internet.

    Author Closing Comment

    I decided to turn on the firewall and use VPN. Thanks everyone!

    I just wish there was a way to configure the firewall to say: if 10 invalid attempts in x amount of time from x ip address then block all connections from that ip address. But, oh well!
    LVL 4

    Expert Comment

    There are many clients than share the same IP. Those rules will make your firewall vulnerable to DoS.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
    The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now