Suspected brute force attack
- by HarveySaayman
Recently I acquired a dedicated server from a local ISP to play around with.
As the tags suggest, its a windows server 2008 R2 machine.
I've only had it for a few days, and no real traffic is going to it yet. I haven't even deployed a "real" website to it yet. Just a silly page so that I could check IIS, my host headers, DNS records, etc are all configured correctly.
While playing around, I noticed a ton of Audit Failure entries in the event viewers security logs. It seems something is trying to access the administrator account, and failing. It smells like a brute force attack to me.
My ISP gave me the account details of the administrator account and I used those to RDP into the box, which I've heard is not the securest of situations.
I created myself another account and added myself to the administrator group, so im using that account to gain acceess to the machine now.
In response to all of this i used http://strongpasswordgenerator.com/ to generate me some 20 character length strong passwords and changed all of my account passwords, even the SQL sa user.
I also enabled the auto ban feature of FileZillaServer (my FTP server)
My questions:
1) how can i detect this kind of thing better?
2) how can i protect my server from unauthorized access better?
PS: I'm a software dev, not a sysadmin so please mind my server security idiot-ness-ness