0

While Viewing the windows server 2008 event log, I always find many security events 4625/logon as follows:

**An account failed to log on.**

Subject:
    Security ID:        SYSTEM
    Account Name:       Sever-Name
    Account Domain:     WORKGROUP
    Logon ID:       0x3e7

Logon Type:         10

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       admin (or administrator or user or any)
    Account Domain:     Sever-Name

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

Process Information:
    Caller Process ID:  0x1b18
    Caller Process Name:    C:\Windows\System32\winlogon.exe

Network Information:
    Workstation Name:   Sever-Name
    Source Network Address: Some-Remote-IP
    Source Port:        Port#No (many ports in a row)

Detailed Authentication Information:
    Logon Process:      User32 
    Authentication Package: Negotiate

The above tries comes from single IP using all possible usernames and ports.

My Questions are:

  1. Are these regular attacks?
  2. How worried should I be? Should I monitor and block every single IP or only when there are huge attack?
  3. Is blocking IP through windows firewall by choosing to block "All Programs" means that this IP will not be able to even use the web and email service?
  4. If the answer to #3 is yes, is there a way to only block the Machine / RDP Access? Is it enough?
TheCleaner
  • 32,627
  • 26
  • 132
  • 191
hsobhy
  • 181
  • 1
  • 2
  • 10
  • so much for professional level questions. – tony roth Apr 19 '13 at 13:16
  • People will try to attack servers on the Internet all the time. If you have the firewall and OS properly configured you shouldn't be worried. I really, really doubt that you have the firewall configured correctly. – Chris S Apr 19 '13 at 13:27
  • As I see, the windows firewall has many rules that not activated and the green sign for active rules are for allowing ports of specific services and alternative mail ports etc. – hsobhy Apr 19 '13 at 13:30
  • Tony, I'm not an IT but still have my dedicated server supported by my hosting provider and i need to know more, should I delete this question and ask some where else? – hsobhy Apr 19 '13 at 13:36
  • 3
    If you're getting paid to maintain this server then you're in the right place. If this is for home/hobby/etc then it would be off-topic here and on-topic on [SU]. We can migrate it to the other site if that's the case. – Chris S Apr 19 '13 at 13:54
  • 1
    If you are using Windows Firewall on a web facing server, that is not sufficient. – DanBig Apr 19 '13 at 14:20
  • @DanBig Why not? Ideally you have a hardware appliance, but Windows Firewall has come a long way since the 2003 days. What parts of it are insufficient for a web-facing server? – MDMarra Apr 19 '13 at 14:28
  • I guess i'm not as trusting of Windows Firewall, maybe others are. – DanBig Apr 19 '13 at 14:30
  • Question: are you using Terminal Services at all? or just logging in at the 'console'? What's happening is, someone's probing your box for a vulnerable account, or a vulnerable service, so if you're not using any of the remote administration tools, it's best to just turn them off. – George Erhard Apr 19 '13 at 22:44

2 Answers2

4

This is what you need to do:

  1. Set up a VPN for secure remote access to your server.

  2. Place the server behind a firewall (hardware or software) and don't allow remote logons from anywhere. You must connect to the VPN if you want to connect remotely.

  3. Have a sandwich and enjoy how much better off you are now that you've done these basic security precautions.

After that is done, then you need to get a book on Windows administration (or administration in general) and read about firewall rules. Then configure yours appropriately. Only you know who needs to access what services from where. Take some time to look at all services running, decide which ones need to be publicly available (like web) and which ones don't (like RDP) and configure your firewall accordingly.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • 1
    Great, my hosting support applied point 2 and changed the port of RDP to be added to the IP and added list of known attackers IPs now the event viewer shows zero failure logon. I will follow with the homework then .. but who will get me the **sandwich** :) Thanks a lot for your help. – hsobhy Apr 20 '13 at 15:57
  • In addition, support team also has installed Powershell 2.0 and configured some blocking scripts. looks they have left me over 8 months without the basics :) .. didn't know that we have to check and request even basic requirements while I'm on a "really good" hosting provider and data center. – hsobhy Apr 20 '13 at 16:09
-2

The truth is that if you are under a large DDOS attack firewall can't actually help you as it will run out of resources while banning ip address . Good solution is to have a failover ip and the best is to have a load balancing setup ..

If this is a small ddos simply by tracing and blocking these ips you will be ok..

user2145311
  • 1
  • 1