Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Server is being hacked - best course of action?

Posted on 2014-02-19
8
Medium Priority
?
318 Views
Last Modified: 2014-03-14
Hi, I support an SBS2003 network and for the last few days it has been constantly bombarded according to security logs in event viewer.

We had an attack a while ago from numerous Russian and worldwide IPs, which led to a tightening up of usernames (now using full name) and passwords (upper/lower letters, numbers and 2+ symbols and at least 8 digits, Plus domain lockout on 5 failed attempts for 2 hours.

They lost interest after a while, and no further problems until Monday, when I started noticing logon failures in event viewer from an IP belonging to a local Internet company. Yesterday the attacks came from another local datacentre.

I can, of course, contact the two companies directly and ask them to block our IP, but the fact they are both local companies, that the network users may rely on, I am concerned I may do more harm than good. Plus they ain't gonna get through,

What is the best way to tackle this? I can't understand why they are two local companies - less than 8 miles away,

We are getting a Event ID 529 and they are trying various ports in the 60,000s.
0
Comment
Question by:bill2013
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Accepted Solution

by:
Peter Hutchison earned 2000 total points
ID: 39869913
How are the servers protected? Do the companies use firewalls on the servers themselves or use a separate firewall? Ideally a separate firewall would be ideal and then the attacks would stop at the firewall, rather than on the SBS server itself.

There are different firewall solutions: A) firewall on the router, b) Windows firewall eg. TMG, c) Linux firewall e.g.  Smoothwall or d) a Dedicated hardware firewall e.g. Cisco ASA.
0
 

Expert Comment

by:thomas-baetens-sphinxit
ID: 39869945
Best course of action is place a hardware firewall before the server.
Then only open the necessary ports. For an SBS this is port 25, 143, 110 & 443.
These ports allow email sending, client email & remote access.

If you want more open ports, then you best use a VPN.

In the firewall you can add the IP's where the connections are made from, so they are blocked before they reach the server.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39869948
Its most like attacks by RDP.  Change the RDP public port on your firewall from 3389 to something else that is irregular.

They will most likely be targetting your ISP's Range of addresses opposed to your directly.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:bill2013
ID: 39869973
They use a Draytek Vigor 2920 and only the usual suspects are open.

In this case 3389 for RDP, 25, 443, 110, 4125, 995, 987 and 444.

Could it be getting in through the RDP port as suggested, as we considered it a good firewall.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39869986
The most popular way is by RDP yes.  Change the NAT Rule on the Draytek to give the RDP port redirection an alternative public port number.

The Draytek 2920 themselves are good little routers.
0
 

Expert Comment

by:thomas-baetens-sphinxit
ID: 39870109
The Draytek 2920 has an SSL VPN feature. Close the client ports (3389, 4125, ...) and let the clients use the SSL VPN. The less ports that are open, the less there is a attack surface. Hackers always need an open port...
0
 

Author Comment

by:bill2013
ID: 39870244
I went to change to SSL VPN and found the router is actually a 2830, sorry confused it with another client.

I am getting conflicting reports whether it supports SSL VPN and it is not shown where I would expect to find it, as a primary listing.

So i will follow David's suggestion and change the port to 3402.

It will cause a few problems to a couple of people who will be stressed out at having to add a colon and change a few digits on their desktops, so before I make the make change is there a way I can prove or disprove they are trying to get in on 3389, as I mentioned the source port is in the 60,000s?
0
 

Author Closing Comment

by:bill2013
ID: 39929358
.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question