best method to stop brute force hack attempts?

Discussion in 'OT Technology' started by AVengeance, Dec 18, 2006.

  1. AVengeance

    AVengeance Active Member

    Joined:
    Aug 17, 2004
    Messages:
    22,615
    Likes Received:
    0
    Location:
    In my bunker Position:Hunkering
    I'm running Win2k Server, and it doesn't have any built-in way to sense that a certain IP keeps trying to log in as "ADMIN" or "ADMINISTRATOR". Such a brute force attack is fruitless, but it fills up my security log file and generally pisses me off. What software is there that will sense the attack and just deny the IP after a certain # of attempts?

    Thanks!
     
  2. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Well the first thing to do is rename your admin account.

    Secondly - why is this accessible to the internet?
     
  3. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
  4. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    :werd: & :werd:

    Especially the second: why is it accessable from the internet?
     
  5. AVengeance

    AVengeance Active Member

    Joined:
    Aug 17, 2004
    Messages:
    22,615
    Likes Received:
    0
    Location:
    In my bunker Position:Hunkering
    Uh, it's the webserver?

    There is no account called ADMIN or ADMINISTRATOR which is why the brute force attack will never get through. It's just irritating, and I'd like a way to shut an IP out after x number of attempts. I have no idea why Microsoft didn't design this into the OS or IIS.
     
  6. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Uh, is all you have exposed 80/443? If so you can use IIS to block IP's in the Directory Security Tab/IP Address and Domain Name Restrictions section.
     
  7. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Yeah - don't open anything other than those ports. You want access to the box? VPN, then remote control it.
     
  8. AVengeance

    AVengeance Active Member

    Joined:
    Aug 17, 2004
    Messages:
    22,615
    Likes Received:
    0
    Location:
    In my bunker Position:Hunkering
    Hmm... maybe I could use a script (WSH) to read the log file on occasion (say, midnight or hourly) and then ban IPs specifically based on that?
    I'd like something DYNAMIC, and something I don't have to mess with once it's running. Firewalls block ports, fine, but I'm talking about shutting someone down from a specific IP after they've tried logging on x times, and maybe keeping their IP banned for a specific time (just to keep the file a reasonable size), like 365 days.

    I NEED to have certain ports open, like 80, HTTPS, FTP, the mail ports, etc. I've already shut down other unneeded ports, but when someone tries logging on via FTP (to assumably upload then "get" an ASP page or similar script) a thousand times, it's just irritating.
     
  9. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
  10. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    Can you not set a set of rules of what IP can and can't access it through the firewall.

    What service(S)/port(S) are they trying to do this on?

    Captchas?

    If this wasn't a M$ Machine, I'd have the solution for ya.

    AHhhhh

    Got it


     
  11. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    http://www.insight-onsite.us/ftpsecurity/

    This service:
    • Monitors the System Event Log for a failed password attempt
    • Reads the IIS FTP logs to determine the IP address of the attacker
    • Ignores attempts from "IEUser@" because IE always sends this request before asking for a password
    • Adds the IP address to the blacklist of the FTP root and restarts all sites (not IIS)
    • Errors are reported to the Application Event Log
    It can also:
    • Delete logs that are a certain number of days old (configurable). If you use this, FTPSecurity will remove the IP addresses of attackers no longer in the logs, so it's also a way of keeping the IP block list short. I like this because between spoofed IP addresses and dynamic IPs, I never get hit by the same IP after a couple of days.
    • Blacklist any IP trying to log in to any account after a certain number of attempts (configurable)
    • Blacklist any IP on the first attempt to log in as certain users (configurable)
     
  12. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    How many people use the FTP service? If it's just a few the easiest solution might be to just shift the port off of 21.
     
  13. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Block the offending IP address on your router.
     
  14. AVengeance

    AVengeance Active Member

    Joined:
    Aug 17, 2004
    Messages:
    22,615
    Likes Received:
    0
    Location:
    In my bunker Position:Hunkering
    Thanks! I'll do some looking at this one...

    edit:

    This looks like what I was thinking of doing. I'll be able to mod this script to do what I need it to. Thanks again. Now OT has made up for a tiny fraction of the productivity it has cost me :wiggle:
     
    Last edited: Dec 20, 2006

Share This Page