?
Solved

Server is being hacked - best course of action?

Posted on 2014-02-19
8
Medium Priority
?
315 Views
Last Modified: 2014-03-14
Hi, I support an SBS2003 network and for the last few days it has been constantly bombarded according to security logs in event viewer.

We had an attack a while ago from numerous Russian and worldwide IPs, which led to a tightening up of usernames (now using full name) and passwords (upper/lower letters, numbers and 2+ symbols and at least 8 digits, Plus domain lockout on 5 failed attempts for 2 hours.

They lost interest after a while, and no further problems until Monday, when I started noticing logon failures in event viewer from an IP belonging to a local Internet company. Yesterday the attacks came from another local datacentre.

I can, of course, contact the two companies directly and ask them to block our IP, but the fact they are both local companies, that the network users may rely on, I am concerned I may do more harm than good. Plus they ain't gonna get through,

What is the best way to tackle this? I can't understand why they are two local companies - less than 8 miles away,

We are getting a Event ID 529 and they are trying various ports in the 60,000s.
0
Comment
Question by:bill2013
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Accepted Solution

by:
Peter Hutchison earned 2000 total points
ID: 39869913
How are the servers protected? Do the companies use firewalls on the servers themselves or use a separate firewall? Ideally a separate firewall would be ideal and then the attacks would stop at the firewall, rather than on the SBS server itself.

There are different firewall solutions: A) firewall on the router, b) Windows firewall eg. TMG, c) Linux firewall e.g.  Smoothwall or d) a Dedicated hardware firewall e.g. Cisco ASA.
0
 

Expert Comment

by:thomas-baetens-sphinxit
ID: 39869945
Best course of action is place a hardware firewall before the server.
Then only open the necessary ports. For an SBS this is port 25, 143, 110 & 443.
These ports allow email sending, client email & remote access.

If you want more open ports, then you best use a VPN.

In the firewall you can add the IP's where the connections are made from, so they are blocked before they reach the server.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39869948
Its most like attacks by RDP.  Change the RDP public port on your firewall from 3389 to something else that is irregular.

They will most likely be targetting your ISP's Range of addresses opposed to your directly.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:bill2013
ID: 39869973
They use a Draytek Vigor 2920 and only the usual suspects are open.

In this case 3389 for RDP, 25, 443, 110, 4125, 995, 987 and 444.

Could it be getting in through the RDP port as suggested, as we considered it a good firewall.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39869986
The most popular way is by RDP yes.  Change the NAT Rule on the Draytek to give the RDP port redirection an alternative public port number.

The Draytek 2920 themselves are good little routers.
0
 

Expert Comment

by:thomas-baetens-sphinxit
ID: 39870109
The Draytek 2920 has an SSL VPN feature. Close the client ports (3389, 4125, ...) and let the clients use the SSL VPN. The less ports that are open, the less there is a attack surface. Hackers always need an open port...
0
 

Author Comment

by:bill2013
ID: 39870244
I went to change to SSL VPN and found the router is actually a 2830, sorry confused it with another client.

I am getting conflicting reports whether it supports SSL VPN and it is not shown where I would expect to find it, as a primary listing.

So i will follow David's suggestion and change the port to 3402.

It will cause a few problems to a couple of people who will be stressed out at having to add a colon and change a few digits on their desktops, so before I make the make change is there a way I can prove or disprove they are trying to get in on 3389, as I mentioned the source port is in the 60,000s?
0
 

Author Closing Comment

by:bill2013
ID: 39929358
.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question