4

My newly acquired windows 2008 virtual server now has 3.500 entries (in three days) in its security log, most of which are of event ID 4625: "An account failed to log on".

The login attempts appear rather quick - about 10-20 attempts per second. I guess this is an attack - is that correct?

It does not appear as if the attacker (I'll just use this name) was successful in logging in and brute-forcing the password should not be easy since it is long and complicated...

However, I wonder whether there is something I can do systematically? How about changing the port of rdp? A hardware firewall will probably help?

Moreover, the server now hosts only a single website which is not even public yet, so I didn't expect any traffic of this kind so soon. A little vague: will this get much worse when the site goes online?

mnemosyn
  • 277
  • 2
  • 3
  • 11

3 Answers3

3

Could be. Then again it could also be an application trying to log on under credentials where the password has been changed or expired.

You should look closer at the events and establish: - What kind of logon is occuring? See if it's RDP, or some other kind of access - What account names are being attempted (If it's random account names you don't recognize, or running through A-Z of names, then definitely an attack)

Outside of that, verify that RDP to your server is accessible publically. If so, do you really need that? If your virtual server is within your organisation, lock down your public firewall to prevent this (or ask the admin in charge of the firewall to do so). If it's out in the cloud, the provider should provide interfaces for controlling network access (virtual firewalls).

You have a pretty major security problem if you have servers available on the net that are not sitting behind a proper firewall. The boxes should be available exclusively on only the ports that are needed for operation, so a basic web serving box should only have firewall rules outbound for ports 80, and 443 if SSL is served.

Security should never be approached from the other direction (start all-permissive, then lock down only specific items). Likewise, moving to a non-standard port gives only a very minor increase in security.

Chris Thorpe
  • 9,953
  • 23
  • 33
  • Thanks for the hint. Names are {Administrator, Admin, IUSR, user, server, etc.} - looks like an attack. LogonType is alwasy "NetworkCleartext". According to MSDN that is typically an IIS login attempt? LogonProcess is always "advapi". I found this link http://blogs.msdn.com/puneetgupta/archive/2007/08/20/unknown-username-or-bad-password-inetinfo-exe-advapi.aspx but it seems to be a little over-engineering for my small vps. – mnemosyn Feb 25 '10 at 10:07
  • Worth checking what kinds of authentication IIS is configured to pass-through from clients. If your site doesn't need external users to authenticate with a windows account, turn off non-anonymous authentication methods. – Chris Thorpe Feb 25 '10 at 10:34
  • Anonymous and Forms authentication are turned on - the website uses forms login. However, I didn't establish what is being attacked here: IIS or RDP. From what MSDN says, it rather seems to be IIS. However, what is being attacked in IIS then? I'm a little confused. I guess my initial question is badly formulated because it might essentially not even have to do with RDP - will try to investigate further. Thanks! – mnemosyn Feb 25 '10 at 14:20
  • To help establish what's going on a bit more, perhaps fire up [Wireshark](http://www.wireshark.org/) to see if you can explicitly see the packets and what port they're coming in from. – Ashley Aug 05 '11 at 04:35
2

Chances are your IP was scanned and RDP was detected and someone decided to try and brute force it. Once your website goes online, the amount of attempts might grow, though there's no way of telling the future.

You should be able to change the RDP port from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp under the PortNumber key.

Be careful not to lock yourself out when installing a firewall. From what I know you may be able to set up a maximum number of login attempts from by configuring the Account Lockout Policy.

gekkz
  • 4,229
  • 2
  • 20
  • 19
0

I've got the same problem with my VPS - alongside RDP they are also trying to hack into SQL Server remotely. As a consequence, over a period of a few months they were gradually filling up my disk space with ever expanding logs!

My solution was to restrict who can connect in via IP addresses - these requests now fall at the first hurdle.

As has already been mentioned, you can also change the ports for each service - it might be worth doing this in conjunction with IP addresses - you can't be too secure!

I'd also second Chris's endorsement of the Principle of Least Privilege... Lock everything down, and gradually open things up - but as little as possible.

CJM
  • 730
  • 3
  • 12
  • 28