Re: Newbie needs more help.. almost hacked, 3 simple questions

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

The attack I belive came from the web interface to sign into the SBS.
Sharepoint maybe or remote desktop. In anycase I was unable to get an IP from
the attacket because it was not shown in the event viewer. I have a lot of
ports open, not all, but a few I use on my network to remote into clients
machines by messanger from a XP PRO client on the domain, I have 8080- open
80 - open etc. and a good few in the upper ranges for other software I
normaly run. I am usining the NAT and firewall on SBS. As far as the
amount of entrys its way to many, I clear it and have 200 entries in 5
seconds well, maybe 20 seconds but it is unreal I get maybe 20 to 50 entries
in one second, I goofed and set it to record to much stuff... Thanks...

Oh, to simply put the attacks look like that came from someone trying to
logon to the sbs with a hack program it tried one name for several hours and
many failures, (Tried diffrent passwords) , then moved on to other names and
the same again. even Administrator and Admin etc etc. but never a authorised
logon, or I would suspect they would have cleared the logs and erased thier
entry, almost like a remote desktop attack, but never an IP was passed and I
know it was not anyone here because its only me, so NOT local. Ok Hope this
helps... I simply want the SBS to lock out any account name or attempt to
log on more than 5 times to lock out that user name even if it is not a real
name on the system, I set the group policy to 5 attempts not 50 I think thats
to much in my situation, if I dont get it in 5 tries than maybe I need to go
away for 15 mins and think about it, Right?? Thanks again...
--
Thank you for all your help. With out people like you we would all be in the
dark. I will be sure to pass on any information you care to share with me.


"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:

Step back.

1. What ports are open? What kind of 'attacks' are they sending at your
and via what connections?

Port 80? Port 25?

2. The group policy for SBS is set (I beleive) to 50 tries before
lockout.. you can adjust this but I'd rather we find out via what means
these 'attacks' are occurring first.

3. Leave the logs.. because when something does happen you want both
the successes and the failures. You can use the even log to filter (see
that filter by" section at the top?

So .. first and foremost.. go to grc.com go to shields up .. .go to
common ports tests...what ports are open?


Lawrence wrote:
Reviewing security logs in past few days showed that someone was trying to
hack me for three days stright, I have SBS2003 SP1 installed and all updates.
Anyway I don't think they got in but they tried like 52 diffrent names and I
guess every common password for three days stright. But NO login, I have very
strong passwords and weird user names, (I got luckey) Anyway heres my
problem: One I tried to turn on account lockout but all my own tests fail to
get any of my accounts to lock out or to log an event that more than 5 bad
attempts to access an account were made except for the attempts themselves,
(I lowered the trigger to 5). Secondly I am getting 100's of logged events
due to my settings for event logging being to low, I seen a fix to limit
logging to failed only, but lost it in trying to fix the hacking problem.

So simply put:

How do I invoke a lock out of any client or user who attempts more than 5
bad logons, no matter how or where they attempt logon from; internet, local,
or terminal. (beyond turining it on in the group policy)

and

How do I limit the amount of events recorded in the events logs for routines
events that don't need logged, and show only those or with as few normal logs
so that a hack attempt for three days stright about two weeks ago gets buried
in a mass of over information....

Thank you... So, much your Help on another issue solved all my problems and
I turn once again to you to learn, Thank you, Thank you...

.

Relevant Pages

  • Re: Newbie needs more help.. almost hacked, 3 simple questions
    ... The group policy for SBS is set to 50 tries before lockout.. ... you can adjust this but I'd rather we find out via what means these 'attacks' are occurring first. ... common ports tests...what ports are open? ... How do I limit the amount of events recorded in the events logs for routines events that don't need logged, and show only those or with as few normal logs so that a hack attempt for three days stright about two weeks ago gets buried in a mass of over information.... ...
    (microsoft.public.windows.server.sbs)
  • Re: [Full-disclosure] Brute force attack - need your advice
    ... But please state a config that someone with experience can not get into, is more of a point that security is ever evolving. ... Yup it is security by obscurity and it will help against a script kiddie that won't take the time to scan all ports, thats why I suggested move to a high non-standard port. ... I'm not talking about downloading blacklists but dynamic firewall rules and scripting to achieve a dynamic list based on ranking of attacks against the box. ...
    (Full-Disclosure)
  • Re: Scanning Class A network
    ... >network to identify hosts and ports exposed to the Internet. ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • RE: Scanning Class A network
    ... The network you're scanning will have changed significantly in the time ... Assuming you could build a cluster to check 100,000 ports per second, ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • Re: [fw-wiz] IPS vs. Firewalls (why vs. ?)
    ... that listening ports on the proxy-firewall. ... The only attacks you're mitigating ... There are about a million ways I can get a malicious WMF to ...
    (Firewall-Wizards)