Attempt Attack

[Reyman]

I have a windows 2000 machines we use as a proxy server that sits in
the DMZ. For a while, I have been noticing computers from domains
unreachable by me trying to login to the machine using an account that
is disabled. Before they find and and attempt to use an active
account, is there a way for us to find out the IP of the computers that
are attempting this attack? Any software we can install on this machie
that would block attempts like this?

Thanks.

 

[Steven L Umbach]

You would need to check the firewall logs for IP addresses using the port of
the service they are trying to logon to that match the time of the logon
failures. Of course for this to work well the times of the firewall and the
computer/domain controller will need to be in synch. I would think your
proxy has some logging capability as it may be your firewall. Software
firewalls [Sygate for example] or software IDS will usually be able to
record the IP addresses but then you would have to install more software on
your proxy server. You can also use netmon to monitor traffic on the
external adapter but that will probably necessitate that you capture a lot
of traffic unless these attempts are very time specific and that can be
very tedious.

Failed logon attempts are not unusual and if you are enforcing strong
passwords then the risk is minimal unless they are trying to mount a denial
of service attack. I would also make sure that file and print sharing and
netbios over tcp/ip are disabled on the external adapter of the proxy
connected directly to the internet. Depending on what you are offering to
internet clients [remote users, etc] you may want to look at the possibility
of using VPN using l2tp for access. Since you are using proxy it will need
to be NAT-T compliant however as would the l2tp VPN clients [no problem for
Windows since W98 with the NAT-T client installed] . L2tp requires the use
of computer certificates so that computers can authenticate before the user
is allowed to try and logon. --- Steve

 

[Reyman]

Thank you for your suggestions Steve. I will have to consider
installing some kind of firewall software on this machine. This
machine sits outside the scope of our corporate firewall, therefore
make it very susceptible to attacks like this often.

We have:
Enforced strong password for people accessing this machine.
Disabled netbios over tcp/ip.

Unfortunately we are not able to disable file and print sharing because
we need to access a shared directory on that machine.
Again,
Thank you for your suggestions.

 

[Steven L Umbach]

OK. Usually a proxy server has at least two network adapters. If the network
share does not need to be exposed to the internet [hopefully not] then you
could disable file and print sharing on just the external network adapter
and leave it enabled on the "internal" adapter. Usually if a share needs to
be available to internet users a VPN server is used. If you want to use a
software firewall I like Sygate Pro. You could install it and disable the
firewall itself if you do not need it and just use it for its ample logging
abilities. --- Steve

http://smb.sygate.com/ --- Sygate Pro. Works on server and has free trial
period.