Windows Server being brute forced.

firefoxx04

Distinguished
Jan 23, 2009
40
0
18,590
3
Hello,

I have a server that is exposed to the internet. Currently only ports for remote desktop and FTPS are available from the outside. Sometimes I get someone trying to get onto my FTP. This is easily mitigated because their IP is logged and then I manually block it at the router.

I have noticed today (only because I happened to check!) that someone or something has been trying to log in for the past 48 hours. They have tried a seemingly endless amount of usernames but have not been successful.

I have sense changed the power number for remote desktop to prevent them from trying further (until they port scan and find the new port).

Is there any free (open source preferable) software that can monitor and alert me of these attempts? Windows does a good job logging this but I cant figure out how to enable alerts. I cant even figure out where the IP address is logged. I would love to add them to my blacklist.

bonus points if the software is cross platform and works on Ubuntu 14.04 lts.

Thanks guys
 

turkey3_scratch

Estimable
Herald
Jul 15, 2014
571
0
5,210
89
I know this doesn't exactly answer the question, but people can run software (I forget what it's called) that constantly changes the IP constantly, so IP blocking can't always prevent this. When I ran a web server, my website was attacked by a bot from someone, so I ended up blocking his IP, but the bot eventually had a new IP so I had to approach the issue by other means.
 

firefoxx04

Distinguished
Jan 23, 2009
40
0
18,590
3
I am sure they use all sorts of tricks. The IP blocking for the FTP attackers has worked well so far. The attacks are far less frequent.

I will check out RDP guard. Thanks

edit: RDP guard looks good but cost more than I am willing to pay. I am sure it is great no doubt. This isnt a business class server, just a home file solution. Ill keep looking.
 

USAFRet

Splendid
Moderator


Exposed directly to the internet, yes...you will get a continual hammering on it.
Put it behind your router/firewall, and use a dynamic DNS service.
 

firefoxx04

Distinguished
Jan 23, 2009
40
0
18,590
3
I am using a dynamic service. http://www.duckdns.org/. My tomato router supports several ddns services at the same time.

I still need to open ports on my router to get through to RDP and FTPS.

The hammering does not bother me, its not knowing about and thus not being able to take action that is my problem.
 

itmoba

Estimable
Aug 14, 2015
153
0
4,660
23
You may want to look into Security Onion -- it's an easy-to-use Linux distribution based on Ubuntu (Debian) that has honeypot, IDS, firewall software, and the like. For most, it should be fairly easy to install, configure, and deploy.

[edit -- update]
For login attempts, you want to configure the system to allow for "up to five tries." Upon the fifth failure, you should log the IP and mac addresses and ban the foreign user lacking permission/rights to use your system. Repeated future attempts warrant reporting them to internet providers and admins.
 

firefoxx04

Distinguished
Jan 23, 2009
40
0
18,590
3
I understand that. I am just looking for a bit of guidance. I cant seem to find the attacker's IP in event viewer (where I am seeing all of these log in attempts).

 

USAFRet

Splendid
Moderator


The attackers IP is irrelevant.
You might find that it is simply a zombie box in a bedroom in Arizona, where the actual person is in Romania.
 

firefoxx04

Distinguished
Jan 23, 2009
40
0
18,590
3
Are you kidding me? Im not some fortune 500 company getting nailed by every hacker out there. Its one IP right now going after me.

50,000 tries from ONE system within the last 48 hours. I think its more than worth it to just block that one IP to get them to stop right now.

How does nobody understand this logit... I get that it will come back. Someone different. I dont care. It takes 3 seconds to block and IP and it doesnt happen again for another month.
 
Thread starter Similar threads Forum Replies Date
A Antivirus / Security / Privacy 3
E Antivirus / Security / Privacy 2
T Antivirus / Security / Privacy 4
S Antivirus / Security / Privacy 3
CaptainCrape Antivirus / Security / Privacy 3
P Antivirus / Security / Privacy 3
_creature Antivirus / Security / Privacy 2
G Antivirus / Security / Privacy 3
S Antivirus / Security / Privacy 2
A Antivirus / Security / Privacy 2
R Antivirus / Security / Privacy 3
D Antivirus / Security / Privacy 3
S Antivirus / Security / Privacy 1
I Antivirus / Security / Privacy 3
G Antivirus / Security / Privacy 3
W Antivirus / Security / Privacy 4
G Antivirus / Security / Privacy 2
G Antivirus / Security / Privacy 3
J Antivirus / Security / Privacy 3
P Antivirus / Security / Privacy 5

ASK THE COMMUNITY

TRENDING THREADS