0

I got a server with Windows OS. The server is running many VMs using HYPER-V. The VMs are exposed to the internet. There is a single VM that is running NAT using windows RRAS, ehich is connected to the router on one end and to the internal network on the other end. All other VMs are connected to the internal network. There are several ports mapped to be able to access services, like http, https, mail, other things.

The server is also running a game-server service, and this attracted the attentions of an angry user who, I think, is maybe DDoS'ing me. I need to know how he is performing the attacks, and prevent them from happening again. Being able to have logs written and other evidence of the attacks to report to the authorities would be a good plus. So far I thought the server security was OK, but it seems is not.

Complete list of exposed services on the VMs: apache 2.4 with php and mysql, exchange 2016, 3CX phoning system, RRAS for VPN, ARK gaming server. There are other services but should not be exposed to internet.

Overmind
  • 3,076
  • 2
  • 16
  • 25
Giorgio Busoni
  • 101
  • What makes you think you're under attack ? Logs ? Poor performance ? Can you perhaps post log samples ? If you are indeed under attack it is quite probable that the person attacking you is not doing it from their home, but rented an army of botnets to DDOS you. But you never know, people are dumb sometimes. But if your assumption is correct, your logs should be flooded with requests. I would maybe have a look at the task manager to find out if a service is consuming more resources than others (eg http) and watch the logs. – Kate May 08 '20 at 14:13

2 Answers2

0

Sorry for that i'm not familar with php and mysql, 3CX phoning system etc. But for the security of the Exchange server, you could use some spam filters or transport rules(For example: If the sender is located outside the organization, forward the message for approval to one or more people) to moderate the external emails, or you could enable antispam functionality on Mailbox servers to help prevent spam.

Besides, here is one document about 9 Steps to secure Exchange Server, hope it helpful to you: Nine Steps to Secure your Exchange Server

Ivan_Wang
  • 1,333
  • 1
  • 4
  • 4
0

You are writing that you "think" someone ist DOS'ing or DDOS'ing you.

A DDOS should be easy to detect an trace. There is just A LOT of traffic on the pipe, that should be visible in your monitoring graphs right away. To get more details, simply dump the WAN traffic (with wireshark, tcpdump or whatever too you prefer) for a while. This is possible directly on your RRAS host. Then check which IPs are sending which traffic. This can be a bit more time consuming, but if it's a real DDOS, you should be able to spot the unwanted packets almost right away (just because they are so many) and adjust your firewall accordingly.

The same goes for a DOS; it's maybe a bit harder to spot the "right" packets (the ones that are causing problems), but if this is an ongoing attack, it should be possible, too.

A DOS attack expoloits (usually) flaws in your software. If the gameserver is under attack, check it's updates, security tips and hardening guides. If other services are under attack, the same goes for them.

And for DOS: just beause one service is down, this has no impact on the others. A DDOS would fill you pipe to any service, so that should be quite obvious.

bjoster
  • 4,805
  • 5
  • 25
  • 33