?
Solved

Server is being hacked - best course of action?

Posted on 2014-02-19
8
Medium Priority
?
314 Views
Last Modified: 2014-03-14
Hi, I support an SBS2003 network and for the last few days it has been constantly bombarded according to security logs in event viewer.

We had an attack a while ago from numerous Russian and worldwide IPs, which led to a tightening up of usernames (now using full name) and passwords (upper/lower letters, numbers and 2+ symbols and at least 8 digits, Plus domain lockout on 5 failed attempts for 2 hours.

They lost interest after a while, and no further problems until Monday, when I started noticing logon failures in event viewer from an IP belonging to a local Internet company. Yesterday the attacks came from another local datacentre.

I can, of course, contact the two companies directly and ask them to block our IP, but the fact they are both local companies, that the network users may rely on, I am concerned I may do more harm than good. Plus they ain't gonna get through,

What is the best way to tackle this? I can't understand why they are two local companies - less than 8 miles away,

We are getting a Event ID 529 and they are trying various ports in the 60,000s.
0
Comment
Question by:bill2013
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Accepted Solution

by:
Peter Hutchison earned 2000 total points
ID: 39869913
How are the servers protected? Do the companies use firewalls on the servers themselves or use a separate firewall? Ideally a separate firewall would be ideal and then the attacks would stop at the firewall, rather than on the SBS server itself.

There are different firewall solutions: A) firewall on the router, b) Windows firewall eg. TMG, c) Linux firewall e.g.  Smoothwall or d) a Dedicated hardware firewall e.g. Cisco ASA.
0
 

Expert Comment

by:thomas-baetens-sphinxit
ID: 39869945
Best course of action is place a hardware firewall before the server.
Then only open the necessary ports. For an SBS this is port 25, 143, 110 & 443.
These ports allow email sending, client email & remote access.

If you want more open ports, then you best use a VPN.

In the firewall you can add the IP's where the connections are made from, so they are blocked before they reach the server.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39869948
Its most like attacks by RDP.  Change the RDP public port on your firewall from 3389 to something else that is irregular.

They will most likely be targetting your ISP's Range of addresses opposed to your directly.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:bill2013
ID: 39869973
They use a Draytek Vigor 2920 and only the usual suspects are open.

In this case 3389 for RDP, 25, 443, 110, 4125, 995, 987 and 444.

Could it be getting in through the RDP port as suggested, as we considered it a good firewall.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39869986
The most popular way is by RDP yes.  Change the NAT Rule on the Draytek to give the RDP port redirection an alternative public port number.

The Draytek 2920 themselves are good little routers.
0
 

Expert Comment

by:thomas-baetens-sphinxit
ID: 39870109
The Draytek 2920 has an SSL VPN feature. Close the client ports (3389, 4125, ...) and let the clients use the SSL VPN. The less ports that are open, the less there is a attack surface. Hackers always need an open port...
0
 

Author Comment

by:bill2013
ID: 39870244
I went to change to SSL VPN and found the router is actually a 2830, sorry confused it with another client.

I am getting conflicting reports whether it supports SSL VPN and it is not shown where I would expect to find it, as a primary listing.

So i will follow David's suggestion and change the port to 3402.

It will cause a few problems to a couple of people who will be stressed out at having to add a colon and change a few digits on their desktops, so before I make the make change is there a way I can prove or disprove they are trying to get in on 3389, as I mentioned the source port is in the 60,000s?
0
 

Author Closing Comment

by:bill2013
ID: 39929358
.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question