Suspected brute force attack
Posted
by
HarveySaayman
on Server Fault
See other posts from Server Fault
or by HarveySaayman
Published on 2012-06-10T21:10:43Z
Indexed on
2012/06/10
22:42 UTC
Read the original article
Hit count: 366
windows-server-2008-r2
|brute-force-attacks
Recently I acquired a dedicated server from a local ISP to play around with. As the tags suggest, its a windows server 2008 R2 machine.
I've only had it for a few days, and no real traffic is going to it yet. I haven't even deployed a "real" website to it yet. Just a silly page so that I could check IIS, my host headers, DNS records, etc are all configured correctly.
While playing around, I noticed a ton of Audit Failure entries in the event viewers security logs. It seems something is trying to access the administrator account, and failing. It smells like a brute force attack to me.
My ISP gave me the account details of the administrator account and I used those to RDP into the box, which I've heard is not the securest of situations.
I created myself another account and added myself to the administrator group, so im using that account to gain acceess to the machine now.
In response to all of this i used http://strongpasswordgenerator.com/ to generate me some 20 character length strong passwords and changed all of my account passwords, even the SQL sa user.
I also enabled the auto ban feature of FileZillaServer (my FTP server)
My questions: 1) how can i detect this kind of thing better? 2) how can i protect my server from unauthorized access better?
PS: I'm a software dev, not a sysadmin so please mind my server security idiot-ness-ness
© Server Fault or respective owner