Solved

How to stop port scanning hackers

Posted on 2013-01-08
37
406 Views
Last Modified: 2013-02-03
I have a server that had 28000 failed login attempts. when i clikt on the failed login attempt it shows a username and a ip address outside the network and a port.  How can I stop this from happening.
0
Comment
Question by:BBrayton
  • 15
  • 8
  • 7
  • +4
37 Comments
 
LVL 11

Assisted Solution

by:rharland2009
rharland2009 earned 125 total points
ID: 38756270
Block all traffic from that IP on your firewall.
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38756274
Sounds like your firewall needs to be more secure.

Do you run a firewall on your server or on the router?

If router what type you have?
0
 

Author Comment

by:BBrayton
ID: 38756278
router linksys rvo42
0
 
LVL 13

Assisted Solution

by:Alexios
Alexios earned 125 total points
ID: 38756281
From your firewall forbid access to that port
0
 

Author Comment

by:BBrayton
ID: 38756291
we use port forwarding and only allow certain ports
0
 
LVL 26

Expert Comment

by:pony10us
ID: 38756300
what port?
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38756312
In the RV042

Check to make sure you have the firewall enabled also check all settings are correct for your network

port forwarding just allows you to route traffic  that does not block access
0
 

Author Comment

by:BBrayton
ID: 38756313
25, 80, 443, 1723, 3389, 987
0
 
LVL 3

Expert Comment

by:costanos
ID: 38756327
25, 80, 443, 1723, 3389, 987

Are these the ports you are forwarding or the ports that the attacks are coming from?
0
 

Author Comment

by:BBrayton
ID: 38756331
forwarding
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38756338
is the firewall running on the RV042?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 38756343
What ports are you seeing the attacks on?
0
 

Author Comment

by:BBrayton
ID: 38756345
under firewall settings  firewall is enabled, so is SPI, Denial of service, Wan reqests, and Multicast Passthrough, and HTTPS. remote management is disabled
0
 

Author Comment

by:BBrayton
ID: 38756353
port 2700
0
 

Author Comment

by:BBrayton
ID: 38756358
2689 too
it changes
0
 

Author Comment

by:BBrayton
ID: 38756360
they are scanning for open ports
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38756377
You need to setup an access rule in your rv042 to block port 2700
0
 

Author Comment

by:BBrayton
ID: 38756383
but the port allways changes
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 3

Assisted Solution

by:costanos
costanos earned 125 total points
ID: 38756384
You need to report them to the ISP that hosts that IP address.  

Here, this is a helpful document of what to include in your contact email (it is a little old of an article but still helpful)

http://www.mynetwatchman.com/scanguide.asp

Here's an example e-mail:

To: Abuse@sourceISP.net
From: Your e-mail address
Subject: Security issue - Source IP: 200.200.200.200

To whom it may concern:

The purpose of this e-mail is to make you aware of a potential
security issue appears to be originating from your network.

My firewall recently logged the following event which appears to have
originated from your network:


DateTime: 01-Dec-2001 23:01 UTC
Source IP: 200.200.200.200
IP Protocol: TCP
Source Port: 1234
Destination IP: 205.152.0.0 (masked)
Destination Port: 111

This connection attempt was unsolicited and therefore, may indicate that
the your host is compromised or is being used for unauthorized purposes.


If you have any questions or need further information, please
do not hesitate to contact me.

Regards,


John T. Wall

Except change it to reflect that you are being port scanned and include port numbers etc.
0
 

Author Comment

by:BBrayton
ID: 38756390
if DMZ is off on the router doesnt that mean that the ports that are forwarded and the only ports that pass through
0
 
LVL 3

Expert Comment

by:costanos
ID: 38756397
DMZ is active for a specified IP address / host.  All ports are forwarded on that IP address, but other hosts are only accessible via the specified forwarded ports.
0
 

Author Comment

by:BBrayton
ID: 38756408
isn't DMZ for all inbound traffic.
0
 
LVL 3

Expert Comment

by:costanos
ID: 38756429
For the specified hosts yea..  Enabling it wont open all ports on your whole network.
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38756447
was you getting event id 529 in the security log?

You need to Restrict (on firewall) the allowed source ip to your one
0
 
LVL 3

Expert Comment

by:costanos
ID: 38756450
dmz
Specified host example
0
 

Author Comment

by:BBrayton
ID: 38756456
yes 529
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38756476
What are your access rules in the rv042? Please post screen shot
0
 

Author Comment

by:BBrayton
ID: 38756496
Lan allow all traffic
wan1 deny all traffic
wan2 deny all traffic
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38756548
That looks good

back to head scratching mode
0
 
LVL 3

Expert Comment

by:costanos
ID: 38756607
What is the offending IP address?
0
 

Author Comment

by:BBrayton
ID: 38756631
48.182.109.26
114.70.63.85
67.55.113.168
207.237.187.100

these are only a few the IP keeps changing as well
0
 
LVL 23

Expert Comment

by:Thomas Grassi
ID: 38756655
Try setting up this on the rv042

Define a DENY rule:
Source: Internal LAN
Destination: Internet
Protocol: DNS (UDP, TCP Prot:53)

This will stop outside attempts against DNS
0
 
LVL 3

Expert Comment

by:costanos
ID: 38756685
Send an email to the organizations..  Also keep an eye on your firewall / logs because these are all random organizations most likely a hacker has a backdoor on their servers or switches and may be targeting you from these remote addresses (based on the number of attempts).  

By alerting the real owners hopefully they will take care of this on their end.  I understand these are only a few of the IP's but its a start.  Again, keep a close eye on your log..


net48admin@prudential.com
search-apnic-not-arin@apnic.net - Not sure this one will work
abuse@webair.com
For all abuse issues, please contact abuse@rcn.com
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 125 total points
ID: 38756955
Presumably if you have port 987 you are running SBS 2008 or 2011.  If so you only need ports 25, 443, 1723, 987. In other words there is no need for 80 or 3389 the two most commonly attacked ports.
Any remote desktop access you need with SBS 2008/2011 can be had by using either remote web access, or if you want to use the RDP client, you can access using port 443 and specifying the TS Gateway address.  It is the same access as using 3389, but more secure and over port 443. See 1/2 way down the page under "TSGateway Integration"
http://blogs.technet.com/b/sbs/archive/2009/06/25/sbs-2008-introduction-to-remote-web-workplace.aspx
Note: using the RDP client to access anything other than the server for administration obligates you to buy an RDS/TS CAL.  this is not true of Remote Web Access.

Most attacks on an SBS are using 3389 or SMTP.  If the address of the remote attacker is shown it is almost always 3389.
The other concern is there is no a virus that spreads itself using port 3389.
0
 

Author Comment

by:BBrayton
ID: 38833492
I've requested that this question be deleted for the following reason:

n
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 38833493
You had a lot of helpful information and you are deleting the question without follow up and your reason is "n".
Hardly seems far to those that invested their time.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now