Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 683
  • Last Modified:

We are being targeted by a hacker

Our DC is SBS2003 and we also have a Server 2003 as a Terminal Server. We are using a Cisco Small Business Pro SRP527W modem/router.
For weeks we have been the target of someone trying to login remotely. I can get up to tens of thousands failed login attempts on any one night. These show up in the daily report that I recieve each morning. Mostly it shows a login name that failed as bad username or password. It was trying the Administrator account at first but I changed the name of that account to stop that. Our user accounts are based on each user's real name, so it could be only a matter of time until they latch onto a real user account. Then they can use brute force to get in.
One thing that I have noticed is that the failed attempts seem to use random ports. I wondered if the way forward might be to block all ports in our modem/router, but I can't work out how to do that.
Any suggestions? My fear is that it could just be a matter of time before they get in.

5 Solutions
Syed_M_UsmanSystem AdministratorCommented:

you should have Firewall....
you can consider sonicwall or Cisco depending on your budget.

i would suggest you put hardware firewall with builtin IPS.
Miguel Angel Perez MuñozCommented:
This may be a bruteforce attack. Lot of people scans some ports waiting connection and try with usernames and password trying to gain access. A firewall may mitigate your problem, but if RDP public is needed, you cannot void this type of attacks because can not filter connection to this port. Ensure enforce your password policy to prevent weak passwords and rename administrator account.
Alan HardistyCo-OwnerCommented:
Please have a read of my blog post and the earlier post included in my blog post:


If you have a TS on your network, then a simple program in the hands of the hacker called TSGRINDER will keep attacking your TS with username / password combinations until they find a weak one.

Make sure your passwords are strong passwords, make sure they are changed regularly, disable the two authentication methods mentioned in my blog if you don't need external users sending via SMTP to your server (not external servers which use Anonymous) and change your TS port so that 3389 isn't the default.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Andrew DavisManagerCommented:
As per a lot have allready said.
also see the manual for your device at http://www.cisco.com/en/US/docs/routers/srp520_series/srp521w/administration/srp500_admin.pdf
See page 69 for port triggering to open only the required ports and forward them to your required server.

See Page 75-76 for SPI settings and particularly "Filter Anonymous Internet Requests"

If your router allows (but i cant see it in the manual) you may be able to block incoming requests from particular IP addresses and or subnets, this would allow you to block the offending IP's and their relevent conrtries (you need to be sure that you dont receive legit trafic from that country through things like E-mail SMTP).
see http://www.ipaddresslocation.org/ip_ranges/get_ranges.php to lookup countries IP address range.

You shoud definitely look at some sort of professional firewall solution to cut down on the brute-force attacking and scanning. Even something like Smoothwall, which is free, would do the job.

As a more immediate solution you should change your RDP port from 3389 to something else (eg. 33389 or 33890 for example). This will cut down the brute force attacking significantly.

Here is a Petricoil article on how to do it: http://www.petri.co.il/change_terminal_server_listening_port.htm
gregmiller4itAuthor Commented:
Thanks for all the responses. I have done most of what has been suggested. we do need RDP and have changed the port number. We do have a reasonably complex password requirement enforced.  I have enabled all the filters in our Cisco modem/firewall that i can. Unfortunately, our firewall won't allow me to block specific IP addresses or ports.<br />I may have to look at another firewall with more features.<br />Cheers,<br />Greg

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now