How to stop port scanning hackers

I have a server that had 28000 failed login attempts. when i clikt on the failed login attempt it shows a username and a ip address outside the network and a port.  How can I stop this from happening.
BBraytonAsked:
Who is Participating?
 
Rob WilliamsConnect With a Mentor Commented:
Presumably if you have port 987 you are running SBS 2008 or 2011.  If so you only need ports 25, 443, 1723, 987. In other words there is no need for 80 or 3389 the two most commonly attacked ports.
Any remote desktop access you need with SBS 2008/2011 can be had by using either remote web access, or if you want to use the RDP client, you can access using port 443 and specifying the TS Gateway address.  It is the same access as using 3389, but more secure and over port 443. See 1/2 way down the page under "TSGateway Integration"
http://blogs.technet.com/b/sbs/archive/2009/06/25/sbs-2008-introduction-to-remote-web-workplace.aspx
Note: using the RDP client to access anything other than the server for administration obligates you to buy an RDS/TS CAL.  this is not true of Remote Web Access.

Most attacks on an SBS are using 3389 or SMTP.  If the address of the remote attacker is shown it is almost always 3389.
The other concern is there is no a virus that spreads itself using port 3389.
0
 
rharland2009Connect With a Mentor Commented:
Block all traffic from that IP on your firewall.
0
 
Thomas GrassiSystems AdministratorCommented:
Sounds like your firewall needs to be more secure.

Do you run a firewall on your server or on the router?

If router what type you have?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
BBraytonAuthor Commented:
router linksys rvo42
0
 
AlexiosConnect With a Mentor Commented:
From your firewall forbid access to that port
0
 
BBraytonAuthor Commented:
we use port forwarding and only allow certain ports
0
 
pony10usCommented:
what port?
0
 
Thomas GrassiSystems AdministratorCommented:
In the RV042

Check to make sure you have the firewall enabled also check all settings are correct for your network

port forwarding just allows you to route traffic  that does not block access
0
 
BBraytonAuthor Commented:
25, 80, 443, 1723, 3389, 987
0
 
costanosNetwork EngineerCommented:
25, 80, 443, 1723, 3389, 987

Are these the ports you are forwarding or the ports that the attacks are coming from?
0
 
BBraytonAuthor Commented:
forwarding
0
 
Thomas GrassiSystems AdministratorCommented:
is the firewall running on the RV042?
0
 
pony10usCommented:
What ports are you seeing the attacks on?
0
 
BBraytonAuthor Commented:
under firewall settings  firewall is enabled, so is SPI, Denial of service, Wan reqests, and Multicast Passthrough, and HTTPS. remote management is disabled
0
 
BBraytonAuthor Commented:
port 2700
0
 
BBraytonAuthor Commented:
2689 too
it changes
0
 
BBraytonAuthor Commented:
they are scanning for open ports
0
 
Thomas GrassiSystems AdministratorCommented:
You need to setup an access rule in your rv042 to block port 2700
0
 
BBraytonAuthor Commented:
but the port allways changes
0
 
costanosConnect With a Mentor Network EngineerCommented:
You need to report them to the ISP that hosts that IP address.  

Here, this is a helpful document of what to include in your contact email (it is a little old of an article but still helpful)

http://www.mynetwatchman.com/scanguide.asp

Here's an example e-mail:

To: Abuse@sourceISP.net
From: Your e-mail address
Subject: Security issue - Source IP: 200.200.200.200

To whom it may concern:

The purpose of this e-mail is to make you aware of a potential
security issue appears to be originating from your network.

My firewall recently logged the following event which appears to have
originated from your network:


DateTime: 01-Dec-2001 23:01 UTC
Source IP: 200.200.200.200
IP Protocol: TCP
Source Port: 1234
Destination IP: 205.152.0.0 (masked)
Destination Port: 111

This connection attempt was unsolicited and therefore, may indicate that
the your host is compromised or is being used for unauthorized purposes.


If you have any questions or need further information, please
do not hesitate to contact me.

Regards,


John T. Wall

Except change it to reflect that you are being port scanned and include port numbers etc.
0
 
BBraytonAuthor Commented:
if DMZ is off on the router doesnt that mean that the ports that are forwarded and the only ports that pass through
0
 
costanosNetwork EngineerCommented:
DMZ is active for a specified IP address / host.  All ports are forwarded on that IP address, but other hosts are only accessible via the specified forwarded ports.
0
 
BBraytonAuthor Commented:
isn't DMZ for all inbound traffic.
0
 
costanosNetwork EngineerCommented:
For the specified hosts yea..  Enabling it wont open all ports on your whole network.
0
 
Thomas GrassiSystems AdministratorCommented:
was you getting event id 529 in the security log?

You need to Restrict (on firewall) the allowed source ip to your one
0
 
costanosNetwork EngineerCommented:
dmz
Specified host example
0
 
BBraytonAuthor Commented:
yes 529
0
 
Thomas GrassiSystems AdministratorCommented:
What are your access rules in the rv042? Please post screen shot
0
 
BBraytonAuthor Commented:
Lan allow all traffic
wan1 deny all traffic
wan2 deny all traffic
0
 
Thomas GrassiSystems AdministratorCommented:
That looks good

back to head scratching mode
0
 
costanosNetwork EngineerCommented:
What is the offending IP address?
0
 
BBraytonAuthor Commented:
48.182.109.26
114.70.63.85
67.55.113.168
207.237.187.100

these are only a few the IP keeps changing as well
0
 
Thomas GrassiSystems AdministratorCommented:
Try setting up this on the rv042

Define a DENY rule:
Source: Internal LAN
Destination: Internet
Protocol: DNS (UDP, TCP Prot:53)

This will stop outside attempts against DNS
0
 
costanosNetwork EngineerCommented:
Send an email to the organizations..  Also keep an eye on your firewall / logs because these are all random organizations most likely a hacker has a backdoor on their servers or switches and may be targeting you from these remote addresses (based on the number of attempts).  

By alerting the real owners hopefully they will take care of this on their end.  I understand these are only a few of the IP's but its a start.  Again, keep a close eye on your log..


net48admin@prudential.com
search-apnic-not-arin@apnic.net - Not sure this one will work
abuse@webair.com
For all abuse issues, please contact abuse@rcn.com
0
 
BBraytonAuthor Commented:
I've requested that this question be deleted for the following reason:

n
0
 
Rob WilliamsCommented:
You had a lot of helpful information and you are deleting the question without follow up and your reason is "n".
Hardly seems far to those that invested their time.
0
All Courses

From novice to tech pro — start learning today.