User Panel
User Panel
User Panel
|
Posted: 2/20/2015 5:52:56 PM EDT
[#1]
What kind of firewall do you use? You can probably find the traffic there.
|
|
|
|
Posted: 2/20/2015 5:56:03 PM EDT
[#2]
Sonicwall TZ-215
|
|
|
|
Posted: 2/20/2015 6:32:49 PM EDT
[#3]
Just shooting from the hip, but the log does show IP traffic, or you can set up a monitoring rule for IPs aiming at your exchange server.
Can you find a recurring IP in the log that corresponds to the timeframe of locked accounts? If you can track one down, block it in the Sonicwall. If your sonicwall is registered and on a support plan, I find their phone support quite quick and helpful. Edit: Sonicwall also offers a pay to play Geo-IP filter license to restrict traffic from selectable countries. |
|
|
|
Posted: 2/20/2015 9:26:07 PM EDT
[#4]
Why are you still using an unsupported product?
|
|
|
|
Posted: 3/4/2015 2:04:33 AM EDT
[#5]
<--- Sonicwall Partner
What's your licensing set? |
|
|
|
Posted: 3/4/2015 11:19:25 AM EDT
[#6]
Quote HistoryQuoted:
<--- Sonicwall Partner What's your licensing set? When I get time I will look this up and IM you. I don't want to post it here just in-case Aimless is the one trying to crack my Exchange server. 
|
|
|
|
Posted: 3/5/2015 12:47:08 AM EDT
[#7]
<--- Another Sonicwall guru / partner checking in.
If Enigma gets stumped shoot me an IM. I deal with this shit daily and could have some recommendations. |
|
|
|
Posted: 3/5/2015 12:52:39 AM EDT
[#8]
Nice to see the Sonicwall represented.
I manage an SM 10400. |
|
|
|
Posted: 3/5/2015 1:06:01 AM EDT
[#9]
Quote HistoryQuoted:
<--- Another Sonicwall guru / partner checking in. If Enigma gets stumped shoot me an IM. I deal with this shit daily and could have some recommendations. I'm kinda thinking he can get the traffic monitor to at least identify what he might be seeing. Once he finds where it's coming from, I'm thinking access rule to drop it. Thoughts? I asked about the license set because IDS/IPS licensed on it might have options as well. |
|
|
|
Posted: 3/5/2015 9:17:22 AM EDT
[#10]
SERVICE BUNDLES
Comprehensive Gateway Security Suite Licensed McAfee: Client/Server Anti-Virus Suite Not Licensed GATEWAY SERVICES Gateway AV/Anti-Spyware/Intrusion Prevention Licensed Feb 27 2016 Content Filtering: Premium Edition Licensed Feb 27 2016 Stateful High Availability Not Licensed Comprehensive Anti-Spam Service Not Licensed SonicOS Expanded Not Licensed DESKTOP & SERVER SOFTWARE McAfee: Enforced Client Anti-Virus and Anti-Spyware Not Licensed Kaspersky: Enforced Client Anti-Virus and Anti-Spyware Not Licensed Global VPN Client Licensed 2 Max:27 Global VPN Client Enterprise Not Licensed VPN Policy Upgrade Licensed 20 Analyzer Not Licensed SSL VPN Licensed 2 Max:27 Virtual Assist Not Licensed Max:2 WAN Acceleration Software Not Licensed Content Filtering Client Not Licensed Note: When used with SonicWALL firewalls, it’s supported in firmware versions 5.9.0.4, 6.1.1.6 and 6.1.2.1 or higher. WAN Acceleration Client Licensed 1 Please note: This service is available and can be used only with firmware version 5.9 and above. SUPPORT SERVICES Dynamic Support 8x5 Not Licensed Dynamic Support 24x7 Licensed Feb 27 2016 Software and Firmware Updates Licensed Feb 27 2016 Hardware Warranty Licensed Feb 27 2016 CONSULTING SERVICES Remote Configuration Service Not Licensed |
|
|
|
Posted: 3/6/2015 2:40:52 AM EDT
[#11]
Quote HistoryQuoted: I'm kinda thinking he can get the traffic monitor to at least identify what he might be seeing. Once he finds where it's coming from, I'm thinking access rule to drop it. Thoughts? I asked about the license set because IDS/IPS licensed on it might have options as well. Quote HistoryQuoted: Quoted: <--- Another Sonicwall guru / partner checking in. If Enigma gets stumped shoot me an IM. I deal with this shit daily and could have some recommendations. I'm kinda thinking he can get the traffic monitor to at least identify what he might be seeing. Once he finds where it's coming from, I'm thinking access rule to drop it. Thoughts? I asked about the license set because IDS/IPS licensed on it might have options as well. IPS might handle it but Sonicwall IPS is kinda bad at blocking brute force attacks (Sonicwall IPS blocks known exploits mostly). That said, it might just drop the connection for a while and the attacker gives up. IPS should be enabled by default from the license set he posted above, however by default its configured to "detect all" and not actually prevent anything. Wouldn't hurt to enable prevention once more info is known. That said though, the attacker might be some kiddie using tools that can easily be defeated if IPS is preventing and not just detecting... Example: It's some kiddie and he's using a tool that's port scanning and then brute forcing or trying different exploits - Sonicwall will pick up on that pattern and drop him if so configured. The only thing with an access rule alone is it won't drop it if the IP is constantly different. However if he finds in the logs that the attacks are from the same IP or same general IP range he can put a rule in to drop them. I've blocked entire networks this way before. If it's a determined attacked it won't be a permanent solution, and to be successful you kinda have to stay on it until it stops. Then again he could be lucky and it is one person... if it is it might be worth it to track down the offender's ISP if their in the US and report them after blocking them. That said, the OP should go to Log>View>Export Log, and export it to CSV and IM it. That would probably give more info to us on what to tell him to do. Without seeing the actual logs I guess this is all conjecture. Outside of the Sonicwall aspect he could look at the following: -Disable OWA for X amount of days (don't know if you can do this - don't know your environment or user base) and see if they give up. No where to login, no where to brute force... -Change default ports of RDP and any other ports that go from the Internet to points of entry in the domain. Refuse any connection on the default ports by setting the proper firewall rules, and put the new ports well out of range. Sonicwall NAT rules will take care of the new external port to default internal port translation from the net. You're making yourself "look" like a harder target. -Find out why and how an attacker got a user's email address, which is also their domain username. You posting that stuff on your website in plain text? Anywhere on the internet? Lots of companies do this and don't realize its a gold mine for people attacking. It's one of the first places I look in a pentest for user accounts. The simple fix for this is that when users are created in the domain, that they have a different SMTP address for Exchange.
|
|
|
|
Posted: 3/6/2015 6:54:50 PM EDT
[#12]
$DT = [DateTime]::Now.AddDays(-1) # check only last 24 hours This is a power shell script that *should* block IPs that have 20 failed login attempts in a row. |
|
|
|
Posted: 3/9/2015 9:12:50 AM EDT
[#13]
Quote HistoryQuoted:
$DT = [DateTime]::Now.AddDays(-1) # check only last 24 hours$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } # select Ip addresses that has audit failure $g = $l | group-object -property IpAddress | where {$_.Count -gt 20} | Select -property Name # get ip adresses, that have more than 20 wrong logins$fw = New-Object -ComObject hnetcfg.fwpolicy2 # get firewall object$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'} # get firewall rule named 'BlockAttackers' (must be created manually)$arRemote = $ar.RemoteAddresses -split(',') #split the existing IPs into an array so we can easily search for existing IPs$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') } # get ip addresses that are not already in firewal rule. Include the subnet mask which is automatically added to the firewall remote IP declaration.$w| %{$ar.remoteaddresses += ',' + $_.Name} # add IPs to firewall rule
This is a power shell script that *should* block IPs that have 20 failed login attempts in a row. Thank you I will definitely give it a try! |
|
|
|
Posted: 3/9/2015 9:14:16 AM EDT
[#14]
May be a Dyre infection. Spams pretty aggressively internally, can look like an attack.
|
|
|
|
Posted: 3/12/2015 11:39:36 AM EDT
[#15]
Did it work?
|
|
|
|
Posted: 3/15/2015 4:15:54 AM EDT
[#16]
Quote HistoryQuoted:
Why are you still using an unsupported product? Wondering this as well. |
|
|
|
Posted: 3/15/2015 4:58:17 AM EDT
[#17]
Quote HistoryQuoted:
Wondering this as well. Quote HistoryQuoted:
Quoted:
Why are you still using an unsupported product? Wondering this as well. I'm still retiring NT4 and win2k servers sometimes that's just how it is. |
|
|
|
Posted: 3/15/2015 9:06:09 AM EDT
[#18]
Quote HistoryQuoted:
I'm still retiring NT4 and win2k servers sometimes that's just how it is. Quote HistoryQuoted:
Quoted:
Quoted:
Why are you still using an unsupported product? Wondering this as well. I'm still retiring NT4 and win2k servers sometimes that's just how it is. But for email? |
|
|
|
Posted: 3/15/2015 3:45:31 PM EDT
[#19]
Quote HistoryQuoted:
But for email? Quote HistoryQuoted:
Quoted:
Quoted:
Quoted:
Why are you still using an unsupported product? Wondering this as well. I'm still retiring NT4 and win2k servers sometimes that's just how it is. But for email? Even for email. Some of these servers I retire would be in places that would terrify you. |
|
|
|
Posted: 3/15/2015 4:16:28 PM EDT
[#20]
Quote HistoryQuoted:
Even for email. Some of these servers I retire would be in places that would terrify you. Quote HistoryQuoted:
Quoted:
Quoted:
Quoted:
Quoted:
Why are you still using an unsupported product? Wondering this as well. I'm still retiring NT4 and win2k servers sometimes that's just how it is. But for email? Even for email. Some of these servers I retire would be in places that would terrify you. Military or business? |
|
|
|
Posted: 3/15/2015 4:51:47 PM EDT
[#21]
Quote HistoryQuoted:
Military or business? Government 
|
|
|
|
Posted: 3/15/2015 4:57:17 PM EDT
[#22]
Quote HistoryQuoted:
Government Quote HistoryQuoted:
Quoted:
Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. |
|
|
|
Posted: 3/15/2015 8:10:37 PM EDT
[#23]
Quote HistoryQuoted:
Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. Quote HistoryQuoted:
Quoted:
Quoted:
Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. In the SMB space you get a lot of push back because of the whole "well it's still working, why should I replace it?" |
|
|
|
Posted: 3/15/2015 8:49:22 PM EDT
[#24]
Quote HistoryQuoted:
In the SMB space you get a lot of push back because of the whole "well it's still working, why should I replace it?" Quote HistoryQuoted:
Quoted:
Quoted:
Quoted:
Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. In the SMB space you get a lot of push back because of the whole "well it's still working, why should I replace it?" If you can't convince them to upgrade due to security issues then I'd drop them as a client. I don't want to clean up the mess when it all goes to hell. And now days, there is no reason a SMB should be hosting their own email. |
|
|
|
Posted: 3/15/2015 9:05:45 PM EDT
[#25]
Quote HistoryQuoted:
If you can't convince them to upgrade due to security issues then I'd drop them as a client. I don't want to clean up the mess when it all goes to hell. And now days, there is no reason a SMB should be hosting their own email. Quote HistoryQuoted:
Quoted:
Quoted:
Quoted:
Quoted:
Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. In the SMB space you get a lot of push back because of the whole "well it's still working, why should I replace it?" If you can't convince them to upgrade due to security issues then I'd drop them as a client. I don't want to clean up the mess when it all goes to hell. And now days, there is no reason a SMB should be hosting their own email. This concept of "security" means nothing to them. It's all just greek that flys right over there head, the MOST effective way I've come up with to convince people to upgrade was when I called in a buddy that does work in penetration testing to come do a key note in a get together I coordinated with the local economic development committee and the BBB to actually do a demonstration of hacking the shit out of a server and a workstation. He would put a USB drive under someones chair, have that person walk up and stick it in "their computer at the office" and as soon as they did that he'd pwn the box right in front of them with his laptop. Opened some eyes on that one. |
|
|
|
Posted: 3/15/2015 10:28:43 PM EDT
[#26]
Quote HistoryQuoted: Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. Quote HistoryQuoted: Quoted: Quoted: Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. |
|
|
|
Posted: 3/15/2015 10:42:47 PM EDT
[#27]
Quote HistoryQuoted:
We have a single branch Bank as a client, owned by an oldtimer. It has a win2k server running the entire shebang, sitting in a dark wet basement. The table it sits on sits in 2 inches of water. I shit you not. Quote HistoryQuoted:
Quoted:
Quoted:
Quoted:
Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. Let me guess, he thinks that if it all went to shit they could just switch back to paper ledgers right? |
|
|
|
Posted: 3/16/2015 11:12:42 PM EDT
[#28]
Quote HistoryQuoted: Let me guess, he thinks that if it all went to shit they could just switch back to paper ledgers right? Quote HistoryQuoted: Quoted: Quoted: Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. Let me guess, he thinks that if it all went to shit they could just switch back to paper ledgers right? The owner is in his late 70's, I think he is hoping to pass on the problem to someone else to be honest. We refuse to support the server, we basically just get called to clean up the user pc's of malware and perform a tuneup every now and then. At least its not a Domain controller, just used as a file server. The security holes on that network make me cringe every time I think of it. I cant believe he gets away with it with all the govt regulations and the like. The router is just a plain jane Linksys WRT series, no real firewall to speak of. If someone wanted client info, it would not be hard to get. |
|
|
|
Posted: 3/16/2015 11:14:31 PM EDT
[#29]
Here if you need me. Looks like you're in good hands though.
|
|
|
|
Posted: 3/17/2015 1:25:15 PM EDT
[#30]
Man I hope that script didn't break OPs Exchange server and now he's homeless.
|
|
|
Win a FREE Membership!
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.
