Server under attack?

  • Thread starter Thread starter Scott Schluer
  • Start date Start date
S

Scott Schluer

Hello,

I think I may have someone trying to "brute force" their way into my server.
I have a colocated server running without a firewall (yes, I know...). I
recently saw a large spike in incoming/outgoing traffic that cannot be
traced to normal sources (www, ftp, mail, database, etc). I ran a packet
sniffer and am seeing LOTS of entries with a destination port of 139 and
445. Reviewing the ASCII data for those packets reveals such text as
"Administrator" with random characters following it that changes with each
entry.

Can someone suggest a firewall solution? Or am I on the wrong track and
maybe something else is going on? I don't know a lot about firewalls on
servers...installing a software solution like Zone Alarm or McAfee would
lock up my server (I would assume) as it ships in a locked-down mode and I
wouldn't be able to get in remotely to change the settings and open up the
appropriate ports (the server is physically located in another state).
Please forgive my lack of experience here, but how do I go about locking
these ports down on a Windows 2000 Server machine?

Thanks for any help. Please respond to the group as the email account
associated with this message is not valid.

Scott
 
Also, upon further examination of the packet data, it appears they're trying
every Windows user account I have set up. I recently (within the last 20
minutes) changed the name of one of the accounts and now that account name
is appearing in the data also. How would someone get these usernames?

Scott
 
there is a way to get a list of user accounts through netbios. best get
that firewall up soon.
 
Disable file and print sharing on the external nic ASAP assuming it is not
needed for anything including Computer Management remotely - which would be a
bad idea, that is what is attracting them and how they are getting user names
and look into using ipsec filtering via Local Security Policy if you can remote
into the server and access it via Remote Administration TS or such. Of course
you will need to know what ports to leave open to who in order to configure the
policy. The nice thing about ipsec is that you can create the policy and when
you assign it takes affect almost immediately and the same when you unassign it.
See the link below on how to configure ipsec filtering. --- Steve

http://www.securityfocus.com/infocus/1559
 
I would advise you to apply the Secedit template for
server or for domen controller. This will prevent accounts
from brute force attack (due to policies included in the
template) and from any anonymous logon, even without
firwall. Firewall is not necessary at all.
If you don't know how to apply security template, you can
reach me at (e-mail address removed) or just sea
 
Well, thanks to everyone for their answers. The server WAS under attack from
multiple sources on multiple ports. I implemented a short-term software
firewall solution (until my colo provider puts me behind their shared
firewall) and in the last 10 hours or so, over 160,000 connection attempts
have been blocked to ports 139, 445 and 1433. My bandwidth usage has also
returned to normal.

Thanks!

Scott
 
Back
Top