Logon attempts - Network security

[customwebman]

Can some advise me the best procedure to adopt regarding almost continuous logon attempts.

Here are examples

The logon to account: Guest
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: KOREA-7AFF675FC
failed. The error code was: 3221225578

The logon to account: IWAM_WEBCORP
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: KOREA-7AFF675FC
failed. The error code was: 3221225578

Also what is the best way to block countries or IP blocks please.

Is the best method to protect my webserving small network to put in a hardware firewall or is there a better solution? I know nothing about hardware firewalls, rules or administration.

T1 -> Managed Cisco Router -> Webservers

What would be the best testing (from the outside of the local network) of the security of my little network's servers, bearing in mind I am new at this.

[Spyrus]

First thing you will want to make sure is that you do have a firewall running. Next disable accounts that you aren't using: Ie: guest and such. Make sure your shared drives are locked down by permissions. Do you have have a domain setup or is it just workgroups? Rename the administrator account to something that you will remember and ALWAYS ALWAYS use difficult passwords. Letters, numbers, symbols. Caps and not caps. Stick to somewhere around 10 characters or more.

http://www.antionline.com/showthread...light=password

Next I would probably recommend you take a look at iptables and setup a firewall using this. you will then be able to block IP ranges and have a secure firewall.

http://www.tutorgig.com/t/Iptables
http://www.aplawrence.com/Linux/iptables.html


Make sure all your windows OS's are up to date and running the most current patches so you are less likely to have an exploit hit on you. If you are running a webserver make sure you have it locked down too, also an easy way into your network. Pay attention to your logs. Also you may want to take a look at snort for testing your network and looking at some different ideas. if you have problems with iptables or anything else just ask on here, there are a LOT of smart ppl that know their stuff.

[cgkanchi]

The logon to account: Guest
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: KOREA-7AFF675FC
failed. The error code was: 3221225578

This tells me that the person attempting the logon is probably someone in your workgroup/domain. I might be wrong here, but if it's outside the workgroup/domain, shouldn't it show the IP of the machine attempting the login and not the hostname? If it is from within your network, you should give this guy a warning. Type "net send KOREA-7AFF675FC Your attempts to login to <your machine name here> have been logged. Further attempts will be treated as criminal intrusions." without the quotes. That should scare him off. Also, if it is outside your network, I'd say, disable remote logins altogether unless you really really need them. Also, patching your box would probably be a good idea.

Cheers,
cgkanchi

[Oso]

Come on buddy, what are you doing with a guest account on?? NEVER, NEVER keep a guest account. Guest and Administrator accounts should be disabled or at least changed names.

What are you doing without a firewall?...

Anyway, you can buy a firewall... I've had good experiences with Sonicwall, or make one yourself with an old box, linux, and a couple of NICs...

BTW, hello again guys, I'm back in antionline after a couple of years!

[customwebman]

The guest account is already disabled, the username for administrator is unusual, the password for it is also unusual. I am the only [Person] in my webgroup. I "workgroup" each individual server but they still argue over who is the master browser. Patches are all up to date.

Obviously someone outside our network is arttempting to break in - Right?

Is a Linux box as a firewall the easiest solution for a Newbie?

How would you rate ZoneAlarm sofware firewall for Win 2k server if at all?

I have heard firewalls can cause as many problems as they solve if you don't sufficiently comprehend their workings, And I don't.

I have a Linux box installed by a RHR specialist, who just kept saying "less is more".
Is this a good box to start the firewall project or not?

I will read through links you provided.

[|3lack|ce]

I agree with everyone else that you most likely need a firewall of some type in your Net. In addition, I'd suggest downloading a backtrace program (smart whois is a very good one I ran for years - but don't have the addy - it'll pop up on google tho). From there if the login attempts are malicious, you can backtrace who's doing it, contact their ISP admin, and shut 'em down. - be sure to save logs of every attempt to your net, most especially multiple ones, because the admins require undisputed proof of the hack attempt.

On firewalls, I strongly recommend my namesake. The only real prob I found with it is that it makes you a bit TOO paranoid seeing all the net activity out there :P

Be Well!

[Relyt]

Good Evening,

An old computer with "smoothwall" on it can work wonders. I have used one and it comes with snort as well.

http://www.smoothwall.org/

And as far as other firewall recommendations, see the link below and find out what the folks here recommended the most.

http://www.antionline.com/showthread...hreadid=260404

cheers

[customwebman]

Smoothwall requires DHCP which I do not run.
I like Linux but the learning curve at a time when
I am troubleshooting IIS publication failures is not
the best option right now.

Agreed, a good firewall is required but I think
I have to find the existing problem and cure it.
Then investigate firewall alternatives.
Lets face it, everyone commenting here has their own
solution to firewall protection. No one size fits all.
I am using ZoneAlarm Pro controlling what can come in
and what can go out. I would like to find the easiest way
to trap the attackers IP so that I can block them.
A passive approach suits me fine as long as I can keep
my servers safe. It appears that the current attack continues
until the IIS publishing service is compromised then the
events no longer show failed audits. During the attack,
publishing seems to stop and restart a few times then it stops
completely.

My priority is to enable IIS to provide continuous web page publication.
There is no notification it just stops web serving and there is
no reporting in events or anywhere else, even IIS itself is still
running. Once I have done that I will diligently investigate
and apply the best firewall I can. And then I want to be proactive
about prevention. This cure business is a real pain.

Appreciate everyone's comments they are very helpful.

[IKnowNot]

I checked out your other posts, profile, listed web site, and statements made and I am confused.

From what I gather you run a small home-based web hosting service. The confusion comes in with statements like

bearing in mind I am new at this

Give me a list to save time, be happy to oblige. otherwise I have no idea what you need to see and my guesses would waste our time.

and

Maybe it's time to put a hardware firewall somewhere but they have drawbacks and I have no experience of such things.

Granted, I am naive. But how did you put together this system without knowing more about network design the OS’s involved? ( Oh wait, this could be me if I listened to colleagues years ago!! )

It would helpful here if you filled out your profile more completely and we knew of your background and experience ( strong points and weaknesses ).
With this said there are others that can help you a whole lot more then me, but I believe you have come to the right place, albeit a little late in the game. Keep in mind, M$ is under pressure to make their software more secure, and updates that are designed such can break things. But bottom line is you are going to have to read a lot!!
Another piece of advice, FWIW: If the web site on your profile is actually you, remove it, again, remove the link. ( because you are new you may not know that I am paranoid ) You are listing a web hosting service there and then while searching for help describing your network. Bad Dog! Better to keep hackers guessing, especially when we ask for a network diagram. Only give that information to members who have earned your trust! Now, back to the post.

The browser service has failed to retrieve the backup list too many times on transport

Without knowing your knowledge and how you set up the servers, maybe this link can help
Appendix I - Windows 2000 Browser Service
Do you need this?

How about the
NIST Systems Administration Guidance for Windows 2000 Professional

T1 comes to my home office straight into managed Cisco router then gets switched to two ethernets which are switched to nodes (webservers, dns, mail, XP workstation)

Having a router helps, but make sure it is up-to-date with patches and you know how to properly configure it. You definitely need firewalls and IDS if you are going to run and manage a system like you are speaking, and you must constantly monitor them.

If you are connected to the Internet, you are under attack ( see 0Wn3d In 17 Minutes ) But depending on your clients you may be even a greater target. If they attack your clients then they are attacking your servers. Thus failed logon attempts could be coming from inside or outside, depending on wether they have compromised your servers or not. Without an IDS you may not know where they are truly coming from, ie. weather they have hacked your servers and are attacking from within.

That all said, and since I am WAY drunk and overdue for sleep, I really like a good Linux box: try Securing & Optimizing Linux: The Ultimate Solution v2.0
for an incite into securing linux and NETFILTER for firewalls, which you defiantly require. And, as stated, SNORT for IDS. Yes, “less is more” is correct when speaking of a dedicated firewall box or IDS system, or any system for that matter! The fewer services running, the less they can exploit!

Member chsh can be a real help with iptables ( NETFILTER )!!!! And don't forget to review the NMAP stuff here by thehorse13!

Good luck, hope this helps!

[customwebman]

Thank you for your help and advice I will attempt to address every point.

My website link has been removed and profile updated.

I must admit I am now confused, there is a fine line between giving away useful information to your next hacker/cracker. I hope I have not passed it.

Thank you again.