Windows Server being brute forced.

[firefoxx04]

Hello,

I have a server that is exposed to the internet. Currently only ports for remote desktop and FTPS are available from the outside. Sometimes I get someone trying to get onto my FTP. This is easily mitigated because their IP is logged and then I manually block it at the router.

I have noticed today (only because I happened to check!) that someone or something has been trying to log in for the past 48 hours. They have tried a seemingly endless amount of usernames but have not been successful.

I have sense changed the power number for remote desktop to prevent them from trying further (until they port scan and find the new port).

Is there any free (open source preferable) software that can monitor and alert me of these attempts? Windows does a good job logging this but I cant figure out how to enable alerts. I cant even figure out where the IP address is logged. I would love to add them to my blacklist.

bonus points if the software is cross platform and works on Ubuntu 14.04 lts.

Thanks guys

 

[turkey3_scratch]

I know this doesn't exactly answer the question, but people can run software (I forget what it's called) that constantly changes the IP constantly, so IP blocking can't always prevent this. When I ran a web server, my website was attacked by a bot from someone, so I ended up blocking his IP, but the bot eventually had a new IP so I had to approach the issue by other means.

 

[agentbb007]

RDP Guard offers brute-force protection.

http/rdpguard.com/

 

[firefoxx04]

I am sure they use all sorts of tricks. The IP blocking for the FTP attackers has worked well so far. The attacks are far less frequent.

I will check out RDP guard. Thanks

edit: RDP guard looks good but cost more than I am willing to pay. I am sure it is great no doubt. This isnt a business class server, just a home file solution. Ill keep looking.

 

[USAFRet]

This isnt a business class server, just a home file solution. Ill keep looking.

Exposed directly to the internet, yes...you will get a continual hammering on it.
Put it behind your router/firewall, and use a dynamic DNS service.

 

[firefoxx04]

I am using a dynamic service. http/www.duckdns.org/. My tomato router supports several ddns services at the same time.

I still need to open ports on my router to get through to RDP and FTPS.

The hammering does not bother me, its not knowing about and thus not being able to take action that is my problem.

 

[itmoba]

You may want to look into Security Onion -- it's an easy-to-use Linux distribution based on Ubuntu (Debian) that has honeypot, IDS, firewall software, and the like. For most, it should be fairly easy to install, configure, and deploy.

[edit -- update]
For login attempts, you want to configure the system to allow for "up to five tries." Upon the fifth failure, you should log the IP and mac addresses and ban the foreign user lacking permission/rights to use your system. Repeated future attempts warrant reporting them to internet providers and admins.

 

[firefoxx04]

I understand that. I am just looking for a bit of guidance. I cant seem to find the attacker's IP in event viewer (where I am seeing all of these log in attempts).

 

[USAFRet]

I understand that. I am just looking for a bit of guidance. I cant seem to find the attacker's IP in event viewer (where I am seeing all of these log in attempts).

The attackers IP is irrelevant.
You might find that it is simply a zombie box in a bedroom in Arizona, where the actual person is in Romania.

 

[firefoxx04]

Are you kidding me? Im not some fortune 500 company getting nailed by every hacker out there. Its one IP right now going after me.

50,000 tries from ONE system within the last 48 hours. I think its more than worth it to just block that one IP to get them to stop right now.

How does nobody understand this logit... I get that it will come back. Someone different. I dont care. It takes 3 seconds to block and IP and it doesnt happen again for another month.

 

[firefoxx04]

I picked a solution. The one person across multiple forums to actually give me what I am looking for. Thank you.

 

[USAFRet]

I picked a solution. The one person across multiple forums to actually give me what I am looking for. Thank you.

If it does what it says, and you need it, $80 is not a large sum to pay.