Security Issue on password attempt

[Paul Proefrock]

We had a recent entry in our Security Log, showing someone had tried to log
on remotely with a user name not in our system. The log said they tried
repeated passwords. The user name they attempted was "webmaster"

This smells fishy to me and I am curious if I should take any additional
steps to maintain our security. We do not use a domain name but a IP
address for our box so someone would have to know the address to hit it. We
have locked down all ports except those necessary for our VPN and RWW/Remote
Access. Our passwords are the secure type but we don't change them
regularly. There are five users on the system and no one has left the
company that would point at a disgruntled ex-employee.

Should I be doing anything else? Our SBS2003 SP1 box sits behind a Linksys
router with 2 NIC cards. Typical 192.168.1.1 outside addresses,
192.168.16.xxx inside addresses. The passwords into the router and server
are 9 character alpha/numeric/symbol so are relatively secure.

Suggestions or should I be concerned?

Thanks

Paul P

 

[Cris Hanna \(SBS-MVP\)]

The Linksys router is not a firewall
A true firewall could hide your server. But I assume that what you saw in the security log was "failure"

So your server kept the intruders out as it should.

--
Cris Hanna [SBS-MVP]
--------------------------------------
Please do not respond directly to me, but only post in the newsgroup so all can take advantage
We had a recent entry in our Security Log, showing someone had tried to log
on remotely with a user name not in our system. The log said they tried
repeated passwords. The user name they attempted was "webmaster"

This smells fishy to me and I am curious if I should take any additional
steps to maintain our security. We do not use a domain name but a IP
address for our box so someone would have to know the address to hit it. We
have locked down all ports except those necessary for our VPN and RWW/Remote
Access. Our passwords are the secure type but we don't change them
regularly. There are five users on the system and no one has left the
company that would point at a disgruntled ex-employee.

Should I be doing anything else? Our SBS2003 SP1 box sits behind a Linksys
router with 2 NIC cards. Typical 192.168.1.1 outside addresses,
192.168.16.xxx inside addresses. The passwords into the router and server
are 9 character alpha/numeric/symbol so are relatively secure.

Suggestions or should I be concerned?

Thanks

Paul P

 

[Chuck]

We had a recent entry in our Security Log, showing someone had tried to log
on remotely with a user name not in our system. The log said they tried
repeated passwords. The user name they attempted was "webmaster"

This smells fishy to me and I am curious if I should take any additional
steps to maintain our security. We do not use a domain name but a IP
address for our box so someone would have to know the address to hit it. We
have locked down all ports except those necessary for our VPN and RWW/Remote
Access. Our passwords are the secure type but we don't change them
regularly. There are five users on the system and no one has left the
company that would point at a disgruntled ex-employee.

Should I be doing anything else? Our SBS2003 SP1 box sits behind a Linksys
router with 2 NIC cards. Typical 192.168.1.1 outside addresses,
192.168.16.xxx inside addresses. The passwords into the router and server
are 9 character alpha/numeric/symbol so are relatively secure.

Suggestions or should I be concerned?

Thanks

Paul P

Paul,

If you see evidence of brute force password attempts against your network, you
should be asking for advice in forums like microsoft.public.security, where
folks who read and parse security logs constantly hang out.

What security log are you looking at? The Linksys router log, or the server
log? The fact that you can see the attempts logged is good, because it means
that the attacker didn't get in (yet). But it should awaken your concerns.

Security is something that always changes.

 

[Paul Proefrock]

Chuck
I first noticed the problem in our daily server performance report. I went
to the Event Log/Security and found 24 attempts in about an hours span.
Looks like they tried about 15 times in about a 3 minute span then again
about 8 times a couple hours later.

They haven't been back and I don't see any signs of entry but it concerns
me.

I'll try a post to the newsgroup you suggested. I came here first since I am
a SBS'er

Thanks for the direction

Paul P

 

[Chuck]

Chuck
I first noticed the problem in our daily server performance report. I went
to the Event Log/Security and found 24 attempts in about an hours span.
Looks like they tried about 15 times in about a 3 minute span then again
about 8 times a couple hours later.

They haven't been back and I don't see any signs of entry but it concerns
me.

I'll try a post to the newsgroup you suggested. I came here first since I am
a SBS'er

Thanks for the direction

Paul P

Stay safe, Paul. What you don't see is what you should be concerned about. For
an alternate educational opportunity, join an ISC / SANS discussion list, where
intrusion log entries are discussed in detail.
http://lists.sans.org/

 

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

SBSers can get enough security information from a SBS newsgroup... there
are things unique to the SBS box that he may not find in a generic
security group.

First two nics/linksys means that I don't have as many tools to my
disposal to finding out exactly what IP address was nailing your box.

Review your IIS log files during that time frame to see if you can see
if someone was coming in from a neighboring IP address or perhaps
someone was a number off in an IP address and meant to ping on your next
door neighbor.

Next are your passwords for your other accounts long and strong? If
so.. just consider this like someone trying the door knob seeing if
something was opened.

Now then.. what are you using on this system.. because I truly have port
80 closed..which you can do on your Linksys and there will be no loss in
functionality if all you are using is RWW/OWA etc.

Susan (GSEC-security credential and yes I'm an SBSer)

The log he is looking at is the daily SBS email that is unique to SBS
and is built from the RRAS log files.. honestly ISA's log files are
better as well as the addition of Dana Epp's Firewall Dashboard means I
always know who's hitting my box.