0

While Viewing the windows server 2008 event log, I always find many security events 4625/logon as follows:

**An account failed to log on.** Subject: Security ID: SYSTEM Account Name: Sever-Name Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: admin (or administrator or user or any) Account Domain: Sever-Name Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x1b18 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: Sever-Name Source Network Address: Some-Remote-IP Source Port: Port#No (many ports in a row) Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate

The above tries comes from single IP using all possible usernames and ports.

My Questions are:

  1. Are these regular attacks?
  2. How worried should I be? Should I monitor and block every single IP or only when there are huge attack?
  3. Is blocking IP through windows firewall by choosing to block "All Programs" means that this IP will not be able to even use the web and email service?
  4. If the answer to #3 is yes, is there a way to only block the Machine / RDP Access? Is it enough?
Improve this question
9
  • so much for professional level questions. Commented Apr 19, 2013 at 13:16
  • People will try to attack servers on the Internet all the time. If you have the firewall and OS properly configured you shouldn't be worried. I really, really doubt that you have the firewall configured correctly. Commented Apr 19, 2013 at 13:27
  • As I see, the windows firewall has many rules that not activated and the green sign for active rules are for allowing ports of specific services and alternative mail ports etc. Commented Apr 19, 2013 at 13:30
  • 3
    If you're getting paid to maintain this server then you're in the right place. If this is for home/hobby/etc then it would be off-topic here and on-topic on Super User. We can migrate it to the other site if that's the case. Commented Apr 19, 2013 at 13:54
  • 1
    If you are using Windows Firewall on a web facing server, that is not sufficient. Commented Apr 19, 2013 at 14:20

2 Answers 2

Reset to default
4

This is what you need to do:

  1. Set up a VPN for secure remote access to your server.

  2. Place the server behind a firewall (hardware or software) and don't allow remote logons from anywhere. You must connect to the VPN if you want to connect remotely.

  3. Have a sandwich and enjoy how much better off you are now that you've done these basic security precautions.

After that is done, then you need to get a book on Windows administration (or administration in general) and read about firewall rules. Then configure yours appropriately. Only you know who needs to access what services from where. Take some time to look at all services running, decide which ones need to be publicly available (like web) and which ones don't (like RDP) and configure your firewall accordingly.

Improve this answer
2
  • 1
    Great, my hosting support applied point 2 and changed the port of RDP to be added to the IP and added list of known attackers IPs now the event viewer shows zero failure logon. I will follow with the homework then .. but who will get me the sandwich :) Thanks a lot for your help. Commented Apr 20, 2013 at 15:57
  • In addition, support team also has installed Powershell 2.0 and configured some blocking scripts. looks they have left me over 8 months without the basics :) .. didn't know that we have to check and request even basic requirements while I'm on a "really good" hosting provider and data center. Commented Apr 20, 2013 at 16:09
-2

The truth is that if you are under a large DDOS attack firewall can't actually help you as it will run out of resources while banning ip address . Good solution is to have a failover ip and the best is to have a load balancing setup ..

If this is a small ddos simply by tracing and blocking these ips you will be ok..

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.