28,000 logon hack attempts in 7 days...

Ask questions about dedicated servers here and we and other users will do our best to answer them. Please also refer to the self-help section for tutorials and answers to the most commonly asked questions.
Post Reply
Patriot
A regular
A regular
Posts: 40
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Sun Jan 15, 2012 12:10 pm

28,000 logon hack attempts in 7 days...

Post by Patriot »

System: 6-core VDS Windows 2008 R2 x64

Hello,

While trying to track down the cause of numerous windows Logon application errors, I found a massive number of Audit Failures that are logon failures by unauthorized users attempting to hack the VDS. There have been 28,000 attempts since 9-2-12, and 2000+ yesterday.

Details show attempts to logon with a variety of user names coming from various IP addresses, but they primarily seem to be from China.

Is this a normal Brute Force attack that all public servers are exposed to or should I be concerned about it and take some sort of action?

I have followed all of the basic security guidelines suggested in the forums (disable Server service, strong passwords, using a virus scanner, etc.)

Thank you,

Patriot
rustydusty1717
This is my homepage
This is my homepage
Posts: 642
Joined: Sun Sep 20, 2009 6:15 pm

Re: 28,000 logon hack attempts in 7 days...

Post by rustydusty1717 »

Scanners just random passwords. Usually they are from China, to. I see this across my two host machines at work with ~10VM's on each. Logs stack up quickly...
Image
Patriot
A regular
A regular
Posts: 40
Joined: Sun Jan 15, 2012 12:10 pm

Re: 28,000 logon hack attempts in 7 days...

Post by Patriot »

rustydusty1717,

Do you consider these attacks a security risk and take appropriate measures or just ignore them?

Some of the Windows Server security forums suggest using RDP to access remote servers is highly risky and opens the server to just these sort of brute force attacks. They further suggest that VPN should be used instead of RDP, with RDP disabled.

Any thoughts on this approach?

Best regards,

Patriot
squirrelof09
This is my homepage
This is my homepage
Posts: 76
Joined: Mon Mar 14, 2011 5:09 pm

Re: 28,000 logon hack attempts in 7 days...

Post by squirrelof09 »

One thing I recommend to anyone I get to buy VDSes here is to change their RDP port.

http://support.microsoft.com/kb/306759

Explains how to do it.

I think you can restart the remote desktop services to instead of restarting the whole server.
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: 28,000 logon hack attempts in 7 days...

Post by Edge100x »

Brute-force attempts like these are very common. RDP is not a fundamentally insecure protocol and you're safe as long as you keep up with Windows updates and use a good password. But, I do recommend changing the port and/or adding firewall rules to only allow access from a select group of IPs (your admins), simply because processing all of those access attempts can cause performance problems for the server.
Patriot
A regular
A regular
Posts: 40
Joined: Sun Jan 15, 2012 12:10 pm

Re: 28,000 logon hack attempts in 7 days...

Post by Patriot »

Thank you, edge100x and squirrelof09 for some very helpful information.

Using the regedit command to change the RDP port was easy. Would it be worthwhile to also limit port access on the game server IP addresses to only those ports assigned to an active server? If so, how best can that be accomplished?

If I understand correctly, limiting IP access to RDP on the server can be done through Windows Firewall. However, as edge100x noted on this forum, Windows Firewall will cause some overhead.

According to Microsoft security forums, limiting IP access can also be done through the Local Security Policy management panel with "IP Security Policies on local computer." Is this a better alternative than using Windows Firewall? If so, are there any general guidelines to be aware of when creating a new IP security policy?

Thank you,

Patriot
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: 28,000 logon hack attempts in 7 days...

Post by Edge100x »

Changing the port is usually sufficient, but you could add firewall rules as well if you wish. It would be best to do this with either the Windows firewall or through the "Firewall" page for the VDS. I'd personally probably use the latter, since its interface is simpler and more powerful, and it is easy to update.

Make sure that you also shut down the "lanmanserver" service and others that you don't use, and follow these security basics: http://www.nfoservers.com/forums/viewto ... 262#p21262
rustydusty1717
This is my homepage
This is my homepage
Posts: 642
Joined: Sun Sep 20, 2009 6:15 pm

Re: 28,000 logon hack attempts in 7 days...

Post by rustydusty1717 »

Use a port higher than 10,000 :wink:
Image
CPx4
A semi-regular
A semi-regular
Posts: 27
Joined: Fri Mar 23, 2012 10:15 am

Re: 28,000 logon hack attempts in 7 days...

Post by CPx4 »

2 tips I can share :)

1) Not sure about NFO, but you can change the default Administrator username. Simply rename "Administrator" user to something else (remember it), log out, log back in with it. Then, create a 'dummy' 'Administrator' account that only is a member of 'Guests'.

That way, hackers trying to log in with 'Administrator' will fail, and even if they guess the PW (somehow), they won't have anything but 'guest' access.

2) Make sure if you are using RDP, and you're connecting from Windows 7/8, you have the 'Remote' tab under system properties set to accept connections from computers ONLY if they're using "Network Level Authentication"
Patriot
A regular
A regular
Posts: 40
Joined: Sun Jan 15, 2012 12:10 pm

Re: 28,000 logon hack attempts in 7 days...

Post by Patriot »

CPx4,

Thank you for those tips. They are very specific and actionable. I've thought about changing the default Administrator account and was rather surprised that the general security guidelines here on the forums didn't touch on the subject.

The second tip was implemented when I started using RDP.

Best regards,

Patriot
rustydusty1717
This is my homepage
This is my homepage
Posts: 642
Joined: Sun Sep 20, 2009 6:15 pm

Re: 28,000 logon hack attempts in 7 days...

Post by rustydusty1717 »

As long as you have a strong password with uppercase and numbers, I wouldn't worry. Automatic Windows updates as well. Other than that, don't stress too much. Only thing I personally do is on my firewall I have a virtual port setup that is high on the WAN side, and points to the standard 3389 on internal. So if anyone tries the standard port it won't work, and a standard scanner won't go high enough to catch the real virtual port being used for RDP. This isn't for VDS's here, though.
Image
Post Reply