Server is being hacked - best course of action?

Hi, I support an SBS2003 network and for the last few days it has been constantly bombarded according to security logs in event viewer.

We had an attack a while ago from numerous Russian and worldwide IPs, which led to a tightening up of usernames (now using full name) and passwords (upper/lower letters, numbers and 2+ symbols and at least 8 digits, Plus domain lockout on 5 failed attempts for 2 hours.

They lost interest after a while, and no further problems until Monday, when I started noticing logon failures in event viewer from an IP belonging to a local Internet company. Yesterday the attacks came from another local datacentre.

I can, of course, contact the two companies directly and ask them to block our IP, but the fact they are both local companies, that the network users may rely on, I am concerned I may do more harm than good. Plus they ain't gonna get through,

What is the best way to tackle this? I can't understand why they are two local companies - less than 8 miles away,

We are getting a Event ID 529 and they are trying various ports in the 60,000s.
bill2013Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Peter HutchisonConnect With a Mentor Senior Network Systems SpecialistCommented:
How are the servers protected? Do the companies use firewalls on the servers themselves or use a separate firewall? Ideally a separate firewall would be ideal and then the attacks would stop at the firewall, rather than on the SBS server itself.

There are different firewall solutions: A) firewall on the router, b) Windows firewall eg. TMG, c) Linux firewall e.g.  Smoothwall or d) a Dedicated hardware firewall e.g. Cisco ASA.
0
 
thomas-baetens-sphinxitCommented:
Best course of action is place a hardware firewall before the server.
Then only open the necessary ports. For an SBS this is port 25, 143, 110 & 443.
These ports allow email sending, client email & remote access.

If you want more open ports, then you best use a VPN.

In the firewall you can add the IP's where the connections are made from, so they are blocked before they reach the server.
0
 
David AtkinTechnical DirectorCommented:
Its most like attacks by RDP.  Change the RDP public port on your firewall from 3389 to something else that is irregular.

They will most likely be targetting your ISP's Range of addresses opposed to your directly.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
bill2013Author Commented:
They use a Draytek Vigor 2920 and only the usual suspects are open.

In this case 3389 for RDP, 25, 443, 110, 4125, 995, 987 and 444.

Could it be getting in through the RDP port as suggested, as we considered it a good firewall.
0
 
David AtkinTechnical DirectorCommented:
The most popular way is by RDP yes.  Change the NAT Rule on the Draytek to give the RDP port redirection an alternative public port number.

The Draytek 2920 themselves are good little routers.
0
 
thomas-baetens-sphinxitCommented:
The Draytek 2920 has an SSL VPN feature. Close the client ports (3389, 4125, ...) and let the clients use the SSL VPN. The less ports that are open, the less there is a attack surface. Hackers always need an open port...
0
 
bill2013Author Commented:
I went to change to SSL VPN and found the router is actually a 2830, sorry confused it with another client.

I am getting conflicting reports whether it supports SSL VPN and it is not shown where I would expect to find it, as a primary listing.

So i will follow David's suggestion and change the port to 3402.

It will cause a few problems to a couple of people who will be stressed out at having to add a colon and change a few digits on their desktops, so before I make the make change is there a way I can prove or disprove they are trying to get in on 3389, as I mentioned the source port is in the 60,000s?
0
 
bill2013Author Commented:
.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.