[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1159
  • Last Modified:

Hackers trying to log into my server

I setup a server on my network and forwarded the RDP, WWW, FTP, Telnet, and other ports to it from my router so i could log into it remotely as well as host all of my applications and webserver. As to be expected, my security event log is filled with people trying to log into my server as administrator, molly, and other random user names. I am confident my password is secure enough to hold any brute force attacks off for a while, but regardless i would like this to end quickly. When i set everything up i completely turned off the windows firewall as it was causing several problems, i am aware that i now need to turn it back on but i would like some guidance. What is the best practice or best/easiest solution for making sure i have RDP access to my machine as well as all of the hosted applications such as teamspeak 3 and a couple websites remain accessible to the world, yet prevent all of these unauthorized attempts to obtain access to my server?

I disabled the password complexity requirements on my AD domain which means they are not being locked out after 3 attempts. Although i could see how this would resolve the issue, it would also mean i would be locked out of my account constantly since they are continuously trying incorrect passwords correct?

Is there a way to be notified or sort through the filters when an external ip was able to logon to the server? I know i would see myself a lot, but would be nice to make sure there weren't any other successful attempts.
3 Solutions
WillThomasonAuthor Commented:
This is a windows server 2008 R2 box with all updates installed, FYI.
Firewall should definitely be turned on. The Windows Server 2008 R2 built in "Firewall with advanced security" is sufficient, you just need to make sure you create exceptions for each inbound port you need the server to listen to. Windows automatically makes exceptions for some things - e.g. remote desktop - but other things like TeamSpeak you need to do it yourself.

You can make an exception by going to start->firewall with advanced security->inbound rules->new rule...->[follow the wizard to make port-based exceptions]. When you get to the part where it asks when to apply the rule (To Public, Private or Domain networks), just do it for all three. Keeps things simple.

The firewall applies both to access over the internet, AND to access from the local network. So once you have opened the ports on the server and you can access the services locally, you just need to forward the appropriate ports from your router to the server in order to open up access via the Internet.

The windows firewall will not help with brute force attacks. Anything you forward from the router is vulnerable to brute force attacks, a firewall won't help you here since the ports need to be open to allow access - whether that access is authorized or not.

You definitely should have an account lockout policy in place - this is your only completely reliable defense against brute force attacks.

The simplest thing really for you to do is to NOT forward remote access services over the internet. Do NOT forward RDP, Telnet or FTP to your server through your router. These are easy targets and opening them up to the internet is an invitation to be attacked

If you need remote access to your server, use something more sophisticated and secure that does not require special network configuration. My suggestion is use www.LogMeIn.com to administer the server.

If you regularly need access to parts of your local network from the outside world (e.g. you really need FTP, or Telnet, or RDP into your server from the Internet, or heck even access to your router's config page), then setting up a VPN on the server through the "Routing and Remote Access" service is a good idea. The VPN becomes the single point of entry through your router into your network which you can keep secure. Once you connect to the VPN from the internet, you can access all local network resources by their local IP address and all communication - such as FTP - would be encrypted.
WillThomasonAuthor Commented:
VPN may be my best option then. I have VPN setup now, it appears to use PPTP. Is this VPN secure and encrypted? I am afraid i am new to setting up VPN and the farthest i have gotten is installing the service and connecting to it from my phone or another computer. I read about SSTP but it appears i have to have certificates installed on all computers i use. I would like to be able to walk up to any pc that has RDP and be able to quickly access my computer.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Dave BaldwinFixer of ProblemsCommented:
Easy is the opposite of Secure.
David Johnson, CD, MVPOwnerCommented:
You break a lot of best practises for security your server in the name of 'making it easy'.  You made it easy for yourself and for every script kiddie in the world.

I disabled the password complexity requirements on my AD domain which means they are not being locked out after 3 attempts.

Password complexity and account lockout policy are 2 different items. Don't use builtin or other easy to guess accounts for your administrators. Jsmith-ea is easy for john smith to login to his enterprise administrator account.. Yet it is a lot more difficult for a hacker who is just guessing at names.. and of course using 'administrator' , 'domain administrator'  and other guesses.

The vpn solution is a good idea and it is reasonably secure except that hackers will also try this route as well.

I read about SSTP but it appears i have to have certificates installed on all computers i use. I would like to be able to walk up to any pc that has RDP and be able to quickly access my computer.

If it is on your domain, then they are already secured.. Implementing an enterprise and a standalone certificate authority is not difficult.. and you can have computers / users automatically get certificates.
also disable ping, so outsiders looking to find machines dont get ping replies ...
VPN is new door that needs to open before a hacker can try to access other services of your server. So Having VPN for RDP is a good idea.
But brute force is one of the possible ways to enter in your server.
The most serious one its through vulnerabilities (OS errors), keep in mind that your server is more secure when you log to it with least privileges possible. So create special accounts with very few privileges for each possible access that you able through internet.
WillThomasonAuthor Commented:
I decided to turn on the firewall and use VPN. Thanks everyone!

I just wish there was a way to configure the firewall to say: if 10 invalid attempts in x amount of time from x ip address then block all connections from that ip address. But, oh well!
There are many clients than share the same IP. Those rules will make your firewall vulnerable to DoS.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now