Suspected brute force attack

Posted by HarveySaayman on Server Fault See other posts from Server Fault or by HarveySaayman
Published on 2012-06-10T21:10:43Z Indexed on 2012/06/10 22:42 UTC
Read the original article Hit count: 366

Recently I acquired a dedicated server from a local ISP to play around with. As the tags suggest, its a windows server 2008 R2 machine.

I've only had it for a few days, and no real traffic is going to it yet. I haven't even deployed a "real" website to it yet. Just a silly page so that I could check IIS, my host headers, DNS records, etc are all configured correctly.

While playing around, I noticed a ton of Audit Failure entries in the event viewers security logs. It seems something is trying to access the administrator account, and failing. It smells like a brute force attack to me.

My ISP gave me the account details of the administrator account and I used those to RDP into the box, which I've heard is not the securest of situations.

I created myself another account and added myself to the administrator group, so im using that account to gain acceess to the machine now.

In response to all of this i used http://strongpasswordgenerator.com/ to generate me some 20 character length strong passwords and changed all of my account passwords, even the SQL sa user.

I also enabled the auto ban feature of FileZillaServer (my FTP server)

My questions: 1) how can i detect this kind of thing better? 2) how can i protect my server from unauthorized access better?

PS: I'm a software dev, not a sysadmin so please mind my server security idiot-ness-ness

© Server Fault or respective owner

Related posts about windows-server-2008-r2

Related posts about brute-force-attacks