How do I tell if an attack is from an internal or external source

[Steve Everington]

Hello

I have been getting a series of (a few hundred) failed login attempts in the
early hours of the morning (a series of 529 & 681 login failure security
events). The 529 entry has a login in type of 3, which I believe is a
network login and the workstation name is the server's name.

Is there a way of telling whether the events are being caused by attempted
logins on my VPN or by a trojan/virus running on my server or some other
source?

Thanks

Steve Everington

 

[Tom Celica]

Eliminate the Virus / Trojan Question: You should be running Anti-Virus
Software on your VPN. If you are not, then you can run a free file system
scan on th Symantec web site.

Also I have had good success using the Microsoft Anti-spyware tool to get
rid of trojans. This can be downloaded from www.microsoft.com and select
anti-spyware from the downloads section

Also look at what ports are open on your VPN, Only Specific ports needed
for VPN traffic should be open to the internet. Your VPN needs ports 1723
and 47 open to the internet for VPN traffic. Run a security check from your
VPN box to determine which ports are open to the internet.
www.netscreen.com used to offer a security check but there are others out
there that will tell you what ports are open to the internet from your vpn
box.

Now if you have eliminated all the normal candidates for intrusion, You
don't have a virus, no trojan is running on your box and no un-needed ports
are open to the internet. You can increase the fields captured in your log
files on your VPN and you should be able to get the IP address the failed
logon attempts are coming from. With that IP you can find out if the failed
logon attempts are coming from an internal IP or an External IP.


Good Luck
-tom

 

[Steve Clark [MSFT]]

Not to nitpick, but you need IP Protocol 47 (GRE) and TCP port 1723 (PPTP
call/receive).

As with IPsec, IP protocols and TCP/UDP ports are not the same thing.
Again, I am not trying to slam anyone, but this understanding is necessary
since folks that might not be network professionals that have # access on a
router will think they're configuring the router correctly, and then it
doesn't work...

Cisco has good documents on enabling GRE and AH/ESP support on their
devices. I recommend reading their website for more details on how this is
done with their hardware (or consulting the site of the particular hardware
mfr. of the router you use).

 

[Guest]

Are they always try to hit the same point? I would run a sniffer and cature
what they are actually trying to a achieve, are they running exploit code
password grinding. I would for the minute try to isolate the target if
possible as much as possible, and remove or encryt any vital information from
it, you need to determine who is trying to do it and from where. Also, you
should be imlementing Endpoint security in your VPNs. Look at Check Point
SecureCLient and ZA Integrity

 

[Steven L Umbach]

If you are using l2tp for VPN then more than likely it is not from the VPN
as the attacker would need a trusted computer certificate to access the VPN
server before user authentication could be attempted. Also look in the
system log source remote access in Event Viewer which may be recording
remote access logon attempts if you have that auditing enabled for your VPN
server. As far as malware, you should of course scan for such. If this
coming from another computer on your network you should see the name of the
local network computer as the workstation name. If your firewall is
controlling traffic to your VPN server look in the firewall logs for traffic
that matches the time of these failed logon in the security log which may
show that a single IP address as the source of these logon attempts. If the
logon process is kerberos, then most likely the problem is the server itself
or another computer in the domain [assuming the VPN server is a domain
computer]. --- Steve