Determine windows server attack? Should I monitor the server and block IPs all the day?

0

While Viewing the windows server 2008 event log, I always find many security events 4625/logon as follows:

**An account failed to log on.**

Subject:
    Security ID:        SYSTEM
    Account Name:       Sever-Name
    Account Domain:     WORKGROUP
    Logon ID:       0x3e7

Logon Type:         10

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       admin (or administrator or user or any)
    Account Domain:     Sever-Name

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

Process Information:
    Caller Process ID:  0x1b18
    Caller Process Name:    C:\Windows\System32\winlogon.exe

Network Information:
    Workstation Name:   Sever-Name
    Source Network Address: Some-Remote-IP
    Source Port:        Port#No (many ports in a row)

Detailed Authentication Information:
    Logon Process:      User32 
    Authentication Package: Negotiate

The above tries comes from single IP using all possible usernames and ports.

My Questions are:

  1. Are these regular attacks?
  2. How worried should I be? Should I monitor and block every single IP or only when there are huge attack?
  3. Is blocking IP through windows firewall by choosing to block "All Programs" means that this IP will not be able to even use the web and email service?
  4. If the answer to #3 is yes, is there a way to only block the Machine / RDP Access? Is it enough?
windows-server-2008
security
windows-event-log
asked on Server Fault Apr 19, 2013 by hsobhy • edited Apr 19, 2013 by TheCleaner

2 Answers

4

This is what you need to do:

  1. Set up a VPN for secure remote access to your server.

  2. Place the server behind a firewall (hardware or software) and don't allow remote logons from anywhere. You must connect to the VPN if you want to connect remotely.

  3. Have a sandwich and enjoy how much better off you are now that you've done these basic security precautions.

After that is done, then you need to get a book on Windows administration (or administration in general) and read about firewall rules. Then configure yours appropriately. Only you know who needs to access what services from where. Take some time to look at all services running, decide which ones need to be publicly available (like web) and which ones don't (like RDP) and configure your firewall accordingly.

answered on Server Fault Apr 19, 2013 by MDMarra
-2

The truth is that if you are under a large DDOS attack firewall can't actually help you as it will run out of resources while banning ip address . Good solution is to have a failover ip and the best is to have a load balancing setup ..

If this is a small ddos simply by tracing and blocking these ips you will be ok..

answered on Server Fault Apr 19, 2013 by user2145311

User contributions licensed under CC BY-SA 3.0