28,000 logon hack attempts in 7 days...

[Patriot]

System: 6-core VDS Windows 2008 R2 x64

Hello,

While trying to track down the cause of numerous windows Logon application errors, I found a massive number of Audit Failures that are logon failures by unauthorized users attempting to hack the VDS. There have been 28,000 attempts since 9-2-12, and 2000+ yesterday.

Details show attempts to logon with a variety of user names coming from various IP addresses, but they primarily seem to be from China.

Is this a normal Brute Force attack that all public servers are exposed to or should I be concerned about it and take some sort of action?

I have followed all of the basic security guidelines suggested in the forums (disable Server service, strong passwords, using a virus scanner, etc.)

Thank you,

Patriot

[rustydusty1717]

Scanners just random passwords. Usually they are from China, to. I see this across my two host machines at work with ~10VM's on each. Logs stack up quickly...

[Patriot]

rustydusty1717,

Do you consider these attacks a security risk and take appropriate measures or just ignore them?

Some of the Windows Server security forums suggest using RDP to access remote servers is highly risky and opens the server to just these sort of brute force attacks. They further suggest that VPN should be used instead of RDP, with RDP disabled.

Any thoughts on this approach?

Best regards,

Patriot

[squirrelof09]

One thing I recommend to anyone I get to buy VDSes here is to change their RDP port.

http://support.microsoft.com/kb/306759

Explains how to do it.

I think you can restart the remote desktop services to instead of restarting the whole server.

[Edge100x]

Brute-force attempts like these are very common. RDP is not a fundamentally insecure protocol and you're safe as long as you keep up with Windows updates and use a good password. But, I do recommend changing the port and/or adding firewall rules to only allow access from a select group of IPs (your admins), simply because processing all of those access attempts can cause performance problems for the server.

[Patriot]

Thank you, edge100x and squirrelof09 for some very helpful information.

Using the regedit command to change the RDP port was easy. Would it be worthwhile to also limit port access on the game server IP addresses to only those ports assigned to an active server? If so, how best can that be accomplished?

If I understand correctly, limiting IP access to RDP on the server can be done through Windows Firewall. However, as edge100x noted on this forum, Windows Firewall will cause some overhead.

According to Microsoft security forums, limiting IP access can also be done through the Local Security Policy management panel with "IP Security Policies on local computer." Is this a better alternative than using Windows Firewall? If so, are there any general guidelines to be aware of when creating a new IP security policy?

Thank you,

Patriot

[Edge100x]

Changing the port is usually sufficient, but you could add firewall rules as well if you wish. It would be best to do this with either the Windows firewall or through the "Firewall" page for the VDS. I'd personally probably use the latter, since its interface is simpler and more powerful, and it is easy to update.

Make sure that you also shut down the "lanmanserver" service and others that you don't use, and follow these security basics: http://www.nfoservers.com/forums/viewto ... 262#p21262

[rustydusty1717]

Use a port higher than 10,000

[CPx4]

2 tips I can share

1) Not sure about NFO, but you can change the default Administrator username. Simply rename "Administrator" user to something else (remember it), log out, log back in with it. Then, create a 'dummy' 'Administrator' account that only is a member of 'Guests'.

That way, hackers trying to log in with 'Administrator' will fail, and even if they guess the PW (somehow), they won't have anything but 'guest' access.

2) Make sure if you are using RDP, and you're connecting from Windows 7/8, you have the 'Remote' tab under system properties set to accept connections from computers ONLY if they're using "Network Level Authentication"

[Patriot]

CPx4,

Thank you for those tips. They are very specific and actionable. I've thought about changing the default Administrator account and was rather surprised that the general security guidelines here on the forums didn't touch on the subject.

The second tip was implemented when I started using RDP.

Best regards,

Patriot

[rustydusty1717]

As long as you have a strong password with uppercase and numbers, I wouldn't worry. Automatic Windows updates as well. Other than that, don't stress too much. Only thing I personally do is on my firewall I have a virtual port setup that is high on the WAN side, and points to the standard 3389 on internal. So if anyone tries the standard port it won't work, and a standard scanner won't go high enough to catch the real virtual port being used for RDP. This isn't for VDS's here, though.