brute force password attack

My SBS 2003/exchange event viewer security logs shows many logon attempts using random userids and it is always using PID of inetinfo; Logon type is 3, logon process is Advapi, and Source Network is always blank.
 I have a netgear FVS318 router, static ip from ISP, and using DYN DNS standard.  I have a firewall rule allowing smtp to forward to private IP on sbs2003.
Any suggestions on how to stop the brute force password attack?
yel69p51Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Don't expose to the internet is the only way you can completely stop this.
You don't need authenticated relaying enabled on the SMTP virtual server, so you can turn that off completely. While it will not stop it completely, it will mean that they get nowhere.

Otherwise route your email through another service and restrict connections to just that service.

Brute force attacks are one of the things you must accept if you have a server exposed to the internet.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seaton007Commented:
As long as the ports are available to the outside world, I don't think there's much you can do to prevent people from trying to guess accounts and passwords.
0
Jason WatkinsIT Project LeaderCommented:
Also, I would enforce a strong password policy and avoid usernames like "John" and "Mary". Best to use a combination of the user's first and last name. Here, we use a 7-letter iteration of a user's full name. All unique and random. Renaming the built-in administrator account on the server and desktops to something else will also increase security.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

yel69p51Author Commented:
I inherited this server so I haven't made many changes.  SemBee2 I assume you mean under "relay restrictions" you select "only the  list below", but the list should be empty.  When I checked, the static IP was listed and the private IP of server.  I removed both of them and tested successfully sending and receiving mail.  But the security events will continue to happen but less likely to do harm?  Will consider paying dyn for mail services so I can restrict smtp to just them.

Seaton007-I had a feeling that would be the case.

Firebar-already using combo first/last name; make sure I disable/delete old ID's, etc

Thanks for the quick replies.
0
Simon Butler (Sembee)ConsultantCommented:
The other setting you want to disable is to allow users to relay if they authenticate, as that doesn't need to be enabled either. That is what the attack is hoping - it is enabled and they can guess a password combo and get access to use your server as relay.

Simon.
0
yel69p51Author Commented:
Sembee2- I unchecked "allow all computers who authenticate to relay...."
The security events don't show up everyday so I'll give a few days and let you know.

Thanks
0
Cris HannaSr IT Support EngineerCommented:
Type 3 are internal...is there an IP listed as the source?
0
yel69p51Author Commented:
No, IP is never listed.  Have turned off all workstations, and still will have those password attacks in security log.  Disabled wireless capabilities also.
0
Cris HannaSr IT Support EngineerCommented:
Have you checked the event logs for other failures/errors.
Not all will show up in the sbs report.
0
yel69p51Author Commented:
I checked app and system event items, nothing there out of the ordinary.  
Thanks
0
Cris HannaSr IT Support EngineerCommented:
you mention you have a static IP from your ISP and you have a std dyndns account.   Why?   Typically the dyndns is for those who don't have static IP's.    It seems if you have a rogue app either on the workstations or the server trying to logon  Or, given that you say it has random user names perhaps it's malware or a virus.  

Do you have port 3389 forwarded from the router to the server?   If so I'd suggest that disable that.   Port 80 should be blocked as well.    Do those and see if the errors are gone.
0
yel69p51Author Commented:
That was the setup when I inherited the server.  Dyndns is where the mx record is.
No I don't have port 3389 forwarded.  Netgear fvs318 has default firewall rule to deny all traffic.
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.