Re: server getting hit with brute force

From: "David Barnes" <david at bitsolve dot com .nospam.ignore.net>
Date: Wed, 5 Sep 2007 12:12:15 +0100

The logon failures contain the source IP:
Source Network Address: 86.143.xxx.xxx

Have a look at these and see if there is any pattern? perhaps a source
subnet?

My guess these login attempts are to your RWW, OWA or OMA
You can use IPSEC to harden your IP surface on port 443.
eg:

:IPSec clear existing rules
netsh ipsec static delete all

:build local rules
netsh ipsec static set store location=local

:IPSec local Policy Definition
netsh ipsec static add policy name="Server access filters"
description="Server Hardening Policy" mmpfs=yes activatedefaultrule=no
assign=no mmsecmethods=3DES-SHA1-2

netsh ipsec static add filteraction name=Blockall description="Blocks
Traffic" action=block

netsh ipsec static add filterlist name="Hackers - Inbound Traffic"
description="Server Hardening"
netsh ipsec static add filter filterlist="Hackers - Inbound Traffic"
srcaddr=nnn.nnn.nnn.nnn dstaddr=me description="hack traffic from
nnn.nnn.nnn.nnn" protocol=ANY srcport=0 dstport=443
netsh ipsec static add filter filterlist="Hackers - Inbound Traffic"
srcaddr=nnn.nnn.nnn.nnn dstaddr=me description="hack traffic from
nnn.nnn.nnn.nnn" protocol=ANY srcport=0 dstport=80
netsh ipsec static add filter filterlist="Hackers - Inbound Traffic"
srcaddr=xxx.xxx.xxx.xxx dstaddr=me description="hack traffic from
xxx.xxx.xxx.xxx" protocol=ANY srcport=0 dstport=443
netsh ipsec static add filter filterlist="Hackers - Inbound Traffic"
srcaddr=xxx.xxx.xxx.xxx dstaddr=me description="hack traffic from
xxx.xxx.xxx.xxx" protocol=ANY srcport=0 dstport=80
netsh ipsec static add filter filterlist="Hackers - Inbound Traffic"
srcaddr=yyy.yyy.yyy.yyy dstaddr=me description="hack traffic from
yyy.yyy.yyy.yyy" protocol=ANY srcport=0 dstport=443
netsh ipsec static add filter filterlist="Hackers - Inbound Traffic"
srcaddr=yyy.yyy.yyy.yyy dstaddr=me description="hack traffic from
yyy.yyy.yyy.yyy" protocol=ANY srcport=0 dstport=80
netsh ipsec static add rule name="Hackers - Inbound Traffic Rule"
policy="Server access filters" filterlist="Hackers - Inbound Traffic"
kerberos=yes filteraction=Blockall

:turn on ipsec policy
netsh ipsec static set policy name="Server access filters" assign=yes

The add filter line does support subnet definition (see ms docs on netsh
ipsec syntax)
this above can be scripted, and you can even have a simple bit of ASP script
to give you a mini console for this.
You can add 1,000's of these entries. Hence why I sugest you don't use the
GUI but a script file and update the script, then run the script.. hence you
then get change controll.
In a perfect world you would Block ALL (srcaddr=any) access to port 80 and
443 and just permit specific addresses, like your home users addresses.
However this requires that your home users have static IP's. But that would
make life easier for you.

IPSEC policy's are indipendant of the windows firewall and provide a
seperate layer. The windows firewall can do similar to this but is very much
more problematic to set as it only allows you to set "permit from" and when
you get beyond a few entries it gets horible. Also scripting the firewall
actions is painfull

David Barnes

"Kevin Le" <kevinle@xxxxxxxxxx?subject=Regarding%20Your%20Post> wrote in
message news:FBD58EF5-37DF-46E2-AE9A-B76E3DC17909@xxxxxxxxxxxxxxxx

Hi,

My sbs 2003 box been getting attack with brute force (I assumed because
event logs show 500-600 failed logins per night with Administrator/Admin
account as user name, each about 1-2 mins apart). Is there anything I
can do to block these? Administrator account name already been changed,
password is secured and changed.

Kevin

Follow-Ups:
- Re: server getting hit with brute force
  - From: Kevin Le

References:
- server getting hit with brute force
  - From: Kevin Le

Prev by Date: Re: MOSS2007 and SBS2003 R2...is it possible ?
Next by Date: Re: Slow boot with vista client
Previous by thread: Re: server getting hit with brute force
Next by thread: Re: server getting hit with brute force
Index(es):
- Date
- Thread

Relevant Pages

Re: server getting hit with brute force
... I will try to report them and may be move toward IPSec if I can find a way for the home users and VPN users to work. ... :IPSec local Policy Definition ... Hence why I sugest you don't use the GUI but a script file and update the script, ...
(microsoft.public.windows.server.sbs)
Re: Turning on the firewall via a GPO
... Harrison Midkiff ... > to configure the Windows Firewall to allow user to turn off the Firewall, ... Edit a script which can run the following command: ... Add the script file to Domain Default GPO as Computer Startup or/and ...
(microsoft.public.windowsxp.security_admin)
Re: access 97 running in 2k3 server
... and the script will run from the same server outside of access. ... Windows firewall is disabled. ... Ultimately this database will be published through citrix, ...
(microsoft.public.windows.server.scripting)
Re: Script Error every time a new Web page is loaded
... First see if Norton is the problem. ... Control Panel> Windows Firewall. ... It's a busy forum. ... > I have a Script Error poping out everytime I go into a Web page. ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: Logon Script Problems
... script tries to run or something is preventing the connection and script run. ... a different local subnet, and 1 in a different remote subnet. ... Not all machines on the network do this, but all of the machines that do ... created, but for every network drive, I got: "System Error 67 has occured. ...
(microsoft.public.win2000.networking)