1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem Network(IP)monitoring/Brute Force

Discussion in 'Computer Security' started by HTF, Oct 19, 2009.

  1. HTF

    HTF Byte Poster

    181
    0
    14
    Hi,

    - every few days I notice unauthenticeted access attempts in the event logs of my server, it's via RDP like also IIS server (as I have ftp server secured by password) my questions are:

    1. I'm looking for a good network/IP monitoring software so I could find out who is the attacker and block his IP also it would be great if I could filter search criteria by IP with ports so I could find only the RDP connections or FTP for example.(maybe some free one)
    2. What more can I do to prevent Brute Force attacks like this apart from setting up GPO (Account Policies) etc.
    3. Why I dont' see his IP in the event logs like I can see my when I'm accesing the server from home via RDP or FTP

    Regards
     
    Last edited: Oct 19, 2009
    Certifications: A+
  2. jk2447

    jk2447 Petabyte Poster Moderator

    5,483
    354
    249
    Microsofts ISA software can do this for you but I warn you now, its a little complicated (I failed the exam for ISA 06) . . . .but do able of course. The reason you can't see his trail correctly is probably because he's got half a clue what he's doing and is deleting his entries which is quite common. . .
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  3. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Is this an external attacker we're talking about? If so, then any firewall should log IP addresses of attackers. No need to get too technical with it - provided they haven't compromised your firewall (if they had, attempting to brute force TS on one of your servers would be the last of your worries!) all you need to do is set a suitably spiteful TS password (long, complex) - to which TSGrinder or other brute force attacks are pretty much useless. Change the password on a semi-regular basis. Disable all other accounts on the server (or at least ensure they aren't in the Remote Desktop Users group)
     
    Certifications: A few
    WIP: None - f*** 'em
  4. HTF

    HTF Byte Poster

    181
    0
    14
    Hi

    Thank you for reply, yes it was external attack. I found some program it's 'peer guardian' we'll see how it's work ;)
     
    Certifications: A+
  5. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Ummmm... PeerGuardian is designed to prevent firms appointed by the RIAA/MPAA from connecting to your for the purposes of (ahem) 'proving' you are downloading copyrighted materials via torrent sites. It's not designed for what you want.
     
    Certifications: A few
    WIP: None - f*** 'em

Share This Page

Loading...