Clicky

I have been getting attacks from an unknown source on my terminal server (brute Fore Attacks). How do I prevent this from happening?

Server 2003 operating system

asked 11/28/2011 12:08

Neal_876's gravatar image

Neal_876 ♦♦


10 Answers:
IIS 7 has an extension called : Dynamic IP Restrictions
that can be used to automatically block IP addresses after certain number of access/attacks.

you will need something similar to this.

http://www.iis.net/download/dynamiciprestrictions
link

answered

Dr-Hussain's gravatar image

Dr-Hussain

Thank you for replying, how would I do this on a terminal server?
link

answered 2011-11-28 at 08:51:34

Neal_876's gravatar image

Neal_876

The easiest way I do this is to limit the firewall rule for the Incoming RDP connection.  I put in a list of allowed IP addresses.  If you users have dynamic IP's then you could use IP ranges in your firewall or allow the network ID's of the ISP that your user's have.  
It's work to build up the list, but it limits who can connect to the Terminal Server.

Another option would be to setup a VPN and close RDP from the internet.  The users would need to VPN first and then RDP.  
link

answered 2011-11-28 at 09:00:27

chakko's gravatar image

chakko

the attacks are using random names each time they try to guess A VALID login.

I am also geting the following message below:

incoming traffic.
 
Name: -
Path: C:\WINDOWS\system32\lsass.exe
Process identifier: 440
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3158
Allowed: No
User notified: No

Any thoughts?
link

answered 2011-11-28 at 09:24:16

Neal_876's gravatar image

Neal_876

Do you have any firewall between your server and the internet?  UDP port 3158 seems strange, as in why would it be allowed incoming.

Are these coming from the internet or maybe some infected machine on the LAN?  
link

answered 2011-11-28 at 09:26:34

chakko's gravatar image

chakko

Yes, there is a wirewall. it does not give me the source where this is coming from.

How would I disabled RDP from the Internet?
link

answered 2011-11-28 at 09:40:52

Neal_876's gravatar image

Neal_876

It depends on how your firewall is setup

probably you have some type of port forwarding so look for any rule using RDP or TCP port 3389 and disable that rule.

Different firewalls have their own way of doing this so terminology will vary.

link

answered 2011-11-28 at 10:11:15

chakko's gravatar image

chakko

Thank you for help, I will let you know the results.
link

answered 2011-11-28 at 10:16:34

Neal_876's gravatar image

Neal_876

Thank you!
link

answered 2011-11-28 at 10:23:22

Neal_876's gravatar image

Neal_876

hi


you can change the port of the rdp service to a well know port eg: 3306 , 80 ,443 etc so when the attacker again scan your port it will show http,sql service etc  http://support.microsoft.com/kb/306759 . This is one way of doing  .

as you say if it is a brute force attack they should use the script or tool so the will be having a signature those  signature will in your metioned in your utm device.if you use asa ,cyberoam,sonicwall
are any other utm they should under ips section you can block it from there . if not there also you run a packet scanner like ettercap or wireshark and create a custom signature to block the attacks

Are you can use ids/ips like snort or tripwire and this will also block the brute force attacks.



link

answered 2011-11-30 at 17:04:45

emtechadmin's gravatar image

emtechadmin

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 11/28/2011 12:08

Seen: 281 times

Last updated: 11/30/2011 09:04