User Panel
Posted: 2/20/2015 5:51:20 PM EDT
What I know:
I believe my Exchange server is under intermittent brute force attack from spammers trying to crack an account so they can set mail. The attack is randomly locking out user accounts and the log just tells me it came from the Exchange box. I need a way to find out what IP address on the Internet the failed authentication came from so I can block it. If there is software that can monitor this and automatically block the IP's that would be even better. Please help! |
|
What kind of firewall do you use? You can probably find the traffic there.
|
|
Just shooting from the hip, but the log does show IP traffic, or you can set up a monitoring rule for IPs aiming at your exchange server.
Can you find a recurring IP in the log that corresponds to the timeframe of locked accounts? If you can track one down, block it in the Sonicwall. If your sonicwall is registered and on a support plan, I find their phone support quite quick and helpful. Edit: Sonicwall also offers a pay to play Geo-IP filter license to restrict traffic from selectable countries. |
|
|
<--- Another Sonicwall guru / partner checking in.
If Enigma gets stumped shoot me an IM. I deal with this shit daily and could have some recommendations. |
|
Quoted:
<--- Another Sonicwall guru / partner checking in. If Enigma gets stumped shoot me an IM. I deal with this shit daily and could have some recommendations. View Quote I'm kinda thinking he can get the traffic monitor to at least identify what he might be seeing. Once he finds where it's coming from, I'm thinking access rule to drop it. Thoughts? I asked about the license set because IDS/IPS licensed on it might have options as well. |
|
SERVICE BUNDLES
Comprehensive Gateway Security Suite Licensed McAfee: Client/Server Anti-Virus Suite Not Licensed GATEWAY SERVICES Gateway AV/Anti-Spyware/Intrusion Prevention Licensed Feb 27 2016 Content Filtering: Premium Edition Licensed Feb 27 2016 Stateful High Availability Not Licensed Comprehensive Anti-Spam Service Not Licensed SonicOS Expanded Not Licensed DESKTOP & SERVER SOFTWARE McAfee: Enforced Client Anti-Virus and Anti-Spyware Not Licensed Kaspersky: Enforced Client Anti-Virus and Anti-Spyware Not Licensed Global VPN Client Licensed 2 Max:27 Global VPN Client Enterprise Not Licensed VPN Policy Upgrade Licensed 20 Analyzer Not Licensed SSL VPN Licensed 2 Max:27 Virtual Assist Not Licensed Max:2 WAN Acceleration Software Not Licensed Content Filtering Client Not Licensed Note: When used with SonicWALL firewalls, it’s supported in firmware versions 5.9.0.4, 6.1.1.6 and 6.1.2.1 or higher. WAN Acceleration Client Licensed 1 Please note: This service is available and can be used only with firmware version 5.9 and above. SUPPORT SERVICES Dynamic Support 8x5 Not Licensed Dynamic Support 24x7 Licensed Feb 27 2016 Software and Firmware Updates Licensed Feb 27 2016 Hardware Warranty Licensed Feb 27 2016 CONSULTING SERVICES Remote Configuration Service Not Licensed |
|
Quoted: I'm kinda thinking he can get the traffic monitor to at least identify what he might be seeing. Once he finds where it's coming from, I'm thinking access rule to drop it. Thoughts? I asked about the license set because IDS/IPS licensed on it might have options as well. View Quote View All Quotes View All Quotes Quoted: Quoted: <--- Another Sonicwall guru / partner checking in. If Enigma gets stumped shoot me an IM. I deal with this shit daily and could have some recommendations. I'm kinda thinking he can get the traffic monitor to at least identify what he might be seeing. Once he finds where it's coming from, I'm thinking access rule to drop it. Thoughts? I asked about the license set because IDS/IPS licensed on it might have options as well. IPS might handle it but Sonicwall IPS is kinda bad at blocking brute force attacks (Sonicwall IPS blocks known exploits mostly). That said, it might just drop the connection for a while and the attacker gives up. IPS should be enabled by default from the license set he posted above, however by default its configured to "detect all" and not actually prevent anything. Wouldn't hurt to enable prevention once more info is known. That said though, the attacker might be some kiddie using tools that can easily be defeated if IPS is preventing and not just detecting... Example: It's some kiddie and he's using a tool that's port scanning and then brute forcing or trying different exploits - Sonicwall will pick up on that pattern and drop him if so configured. The only thing with an access rule alone is it won't drop it if the IP is constantly different. However if he finds in the logs that the attacks are from the same IP or same general IP range he can put a rule in to drop them. I've blocked entire networks this way before. If it's a determined attacked it won't be a permanent solution, and to be successful you kinda have to stay on it until it stops. Then again he could be lucky and it is one person... if it is it might be worth it to track down the offender's ISP if their in the US and report them after blocking them. That said, the OP should go to Log>View>Export Log, and export it to CSV and IM it. That would probably give more info to us on what to tell him to do. Without seeing the actual logs I guess this is all conjecture. Outside of the Sonicwall aspect he could look at the following: -Disable OWA for X amount of days (don't know if you can do this - don't know your environment or user base) and see if they give up. No where to login, no where to brute force... -Change default ports of RDP and any other ports that go from the Internet to points of entry in the domain. Refuse any connection on the default ports by setting the proper firewall rules, and put the new ports well out of range. Sonicwall NAT rules will take care of the new external port to default internal port translation from the net. You're making yourself "look" like a harder target. -Find out why and how an attacker got a user's email address, which is also their domain username. You posting that stuff on your website in plain text? Anywhere on the internet? Lots of companies do this and don't realize its a gold mine for people attacking. It's one of the first places I look in a pentest for user accounts. The simple fix for this is that when users are created in the domain, that they have a different SMTP address for Exchange.
|
|
$DT = [DateTime]::Now.AddDays(-1) # check only last 24 hours This is a power shell script that *should* block IPs that have 20 failed login attempts in a row. |
|
Quoted:
$DT = [DateTime]::Now.AddDays(-1) # check only last 24 hours$l = Get-EventLog -LogName 'Security' -InstanceId 4625 -After $DT | Select-Object @{n='IpAddress';e={$_.ReplacementStrings[-2]} } # select Ip addresses that has audit failure $g = $l | group-object -property IpAddress | where {$_.Count -gt 20} | Select -property Name # get ip adresses, that have more than 20 wrong logins$fw = New-Object -ComObject hnetcfg.fwpolicy2 # get firewall object$ar = $fw.rules | where {$_.name -eq 'BlockAttackers'} # get firewall rule named 'BlockAttackers' (must be created manually)$arRemote = $ar.RemoteAddresses -split(',') #split the existing IPs into an array so we can easily search for existing IPs$w = $g | where {$_.Name.Length -gt 1 -and !($arRemote -contains $_.Name + '/255.255.255.255') } # get ip addresses that are not already in firewal rule. Include the subnet mask which is automatically added to the firewall remote IP declaration.$w| %{$ar.remoteaddresses += ',' + $_.Name} # add IPs to firewall rule This is a power shell script that *should* block IPs that have 20 failed login attempts in a row. View Quote Thank you I will definitely give it a try! |
|
May be a Dyre infection. Spams pretty aggressively internally, can look like an attack.
|
|
|
|
Quoted:
I'm still retiring NT4 and win2k servers sometimes that's just how it is. View Quote View All Quotes View All Quotes Quoted:
Quoted:
Quoted:
Why are you still using an unsupported product? Wondering this as well. I'm still retiring NT4 and win2k servers sometimes that's just how it is. But for email? |
|
Quoted:
Quoted:
Quoted:
Quoted:
Why are you still using an unsupported product? Wondering this as well. I'm still retiring NT4 and win2k servers sometimes that's just how it is. But for email? Even for email. Some of these servers I retire would be in places that would terrify you. |
|
Quoted:
Even for email. Some of these servers I retire would be in places that would terrify you. View Quote View All Quotes View All Quotes Quoted:
Quoted:
Quoted:
Quoted:
Quoted:
Why are you still using an unsupported product? Wondering this as well. I'm still retiring NT4 and win2k servers sometimes that's just how it is. But for email? Even for email. Some of these servers I retire would be in places that would terrify you. Military or business? |
|
|
|
Quoted:
Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. View Quote View All Quotes View All Quotes Quoted:
Quoted:
Quoted:
Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. In the SMB space you get a lot of push back because of the whole "well it's still working, why should I replace it?" |
|
Quoted:
In the SMB space you get a lot of push back because of the whole "well it's still working, why should I replace it?" View Quote View All Quotes View All Quotes Quoted:
Quoted:
Quoted:
Quoted:
Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. In the SMB space you get a lot of push back because of the whole "well it's still working, why should I replace it?" If you can't convince them to upgrade due to security issues then I'd drop them as a client. I don't want to clean up the mess when it all goes to hell. And now days, there is no reason a SMB should be hosting their own email. |
|
Quoted:
If you can't convince them to upgrade due to security issues then I'd drop them as a client. I don't want to clean up the mess when it all goes to hell. And now days, there is no reason a SMB should be hosting their own email. View Quote View All Quotes View All Quotes Quoted:
Quoted:
Quoted:
Quoted:
Quoted:
Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. In the SMB space you get a lot of push back because of the whole "well it's still working, why should I replace it?" If you can't convince them to upgrade due to security issues then I'd drop them as a client. I don't want to clean up the mess when it all goes to hell. And now days, there is no reason a SMB should be hosting their own email. This concept of "security" means nothing to them. It's all just greek that flys right over there head, the MOST effective way I've come up with to convince people to upgrade was when I called in a buddy that does work in penetration testing to come do a key note in a get together I coordinated with the local economic development committee and the BBB to actually do a demonstration of hacking the shit out of a server and a workstation. He would put a USB drive under someones chair, have that person walk up and stick it in "their computer at the office" and as soon as they did that he'd pwn the box right in front of them with his laptop. Opened some eyes on that one. |
|
Quoted: Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. View Quote View All Quotes View All Quotes Quoted: Quoted: Quoted: Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. |
|
Quoted:
We have a single branch Bank as a client, owned by an oldtimer. It has a win2k server running the entire shebang, sitting in a dark wet basement. The table it sits on sits in 2 inches of water. I shit you not. View Quote View All Quotes View All Quotes Quoted:
Quoted:
Quoted:
Quoted:
Military or business? Government Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. Let me guess, he thinks that if it all went to shit they could just switch back to paper ledgers right? |
|
Quoted: Let me guess, he thinks that if it all went to shit they could just switch back to paper ledgers right? View Quote View All Quotes View All Quotes Quoted: Quoted: Quoted: Then I'm not surprised. No reason any company should have that problem. We have some old stuff too but not critical systems. Let me guess, he thinks that if it all went to shit they could just switch back to paper ledgers right? The owner is in his late 70's, I think he is hoping to pass on the problem to someone else to be honest. We refuse to support the server, we basically just get called to clean up the user pc's of malware and perform a tuneup every now and then. At least its not a Domain controller, just used as a file server. The security holes on that network make me cringe every time I think of it. I cant believe he gets away with it with all the govt regulations and the like. The router is just a plain jane Linksys WRT series, no real firewall to speak of. If someone wanted client info, it would not be hard to get. |
|
Here if you need me. Looks like you're in good hands though.
|
|
Man I hope that script didn't break OPs Exchange server and now he's homeless.
|
|
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.