Solved

Server is being hacked - best course of action?

Posted on 2014-02-19
8
306 Views
Last Modified: 2014-03-14
Hi, I support an SBS2003 network and for the last few days it has been constantly bombarded according to security logs in event viewer.

We had an attack a while ago from numerous Russian and worldwide IPs, which led to a tightening up of usernames (now using full name) and passwords (upper/lower letters, numbers and 2+ symbols and at least 8 digits, Plus domain lockout on 5 failed attempts for 2 hours.

They lost interest after a while, and no further problems until Monday, when I started noticing logon failures in event viewer from an IP belonging to a local Internet company. Yesterday the attacks came from another local datacentre.

I can, of course, contact the two companies directly and ask them to block our IP, but the fact they are both local companies, that the network users may rely on, I am concerned I may do more harm than good. Plus they ain't gonna get through,

What is the best way to tackle this? I can't understand why they are two local companies - less than 8 miles away,

We are getting a Event ID 529 and they are trying various ports in the 60,000s.
0
Comment
Question by:bill2013
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 19

Accepted Solution

by:
Peter Hutchison earned 500 total points
ID: 39869913
How are the servers protected? Do the companies use firewalls on the servers themselves or use a separate firewall? Ideally a separate firewall would be ideal and then the attacks would stop at the firewall, rather than on the SBS server itself.

There are different firewall solutions: A) firewall on the router, b) Windows firewall eg. TMG, c) Linux firewall e.g.  Smoothwall or d) a Dedicated hardware firewall e.g. Cisco ASA.
0
 

Expert Comment

by:thomas-baetens-sphinxit
ID: 39869945
Best course of action is place a hardware firewall before the server.
Then only open the necessary ports. For an SBS this is port 25, 143, 110 & 443.
These ports allow email sending, client email & remote access.

If you want more open ports, then you best use a VPN.

In the firewall you can add the IP's where the connections are made from, so they are blocked before they reach the server.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39869948
Its most like attacks by RDP.  Change the RDP public port on your firewall from 3389 to something else that is irregular.

They will most likely be targetting your ISP's Range of addresses opposed to your directly.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:bill2013
ID: 39869973
They use a Draytek Vigor 2920 and only the usual suspects are open.

In this case 3389 for RDP, 25, 443, 110, 4125, 995, 987 and 444.

Could it be getting in through the RDP port as suggested, as we considered it a good firewall.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39869986
The most popular way is by RDP yes.  Change the NAT Rule on the Draytek to give the RDP port redirection an alternative public port number.

The Draytek 2920 themselves are good little routers.
0
 

Expert Comment

by:thomas-baetens-sphinxit
ID: 39870109
The Draytek 2920 has an SSL VPN feature. Close the client ports (3389, 4125, ...) and let the clients use the SSL VPN. The less ports that are open, the less there is a attack surface. Hackers always need an open port...
0
 

Author Comment

by:bill2013
ID: 39870244
I went to change to SSL VPN and found the router is actually a 2830, sorry confused it with another client.

I am getting conflicting reports whether it supports SSL VPN and it is not shown where I would expect to find it, as a primary listing.

So i will follow David's suggestion and change the port to 3402.

It will cause a few problems to a couple of people who will be stressed out at having to add a colon and change a few digits on their desktops, so before I make the make change is there a way I can prove or disprove they are trying to get in on 3389, as I mentioned the source port is in the 60,000s?
0
 

Author Closing Comment

by:bill2013
ID: 39929358
.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question