Server security questions 1

[brokenhalo]

Hello again tek-tips,

Our Windows Server 2k3 servers have been getting a TON of brute-force attempts on SQL and clever SMTP attacks as well lately. As of yet, there has been no physical penetration into our network or services, but the attackers are using quite a bit of our servers resources and network bandwitdth in their attempts.

We have a Sonicwall which is a good firewall, but it cannot seem to differentiate a brute force attack and regular traffic on SQL. I am wondering if anyone knows of any Windows software that can constantly scan Windows logs or any other logs for failed login attempts and block them.

I have a software firewall on my CentOS Enterprise Linux server called CSF+LFD (ConfigServer Firewall+Login Failure Detection) that works beautifully for things such as this - after any set amount of failed login attempts, it either temporarily or permanently blocks the IP addrtess of the offender, then sends me an alert.

If anyone could suggest a piece of Windows software such as this, that would be great. Thanks!

Brad L.
Systems Engineer
Prestige Technologies
bradlaszlo[at]prestigetech.com

http://www.prestigetech.com

"Some things Man was never meant to know. For everything else, there's Google.

 

[brokenhalo]

Nobody???

Brad L.
Systems Engineer
Prestige Technologies
bradlaszlo[at]prestigetech.com

http://www.prestigetech.com

"Some things Man was never meant to know. For everything else, there's Google.

 

[itsp1965]

Hi Brad have you considered employing an IDS/IPS device or HIDS software since this is the type of role they server identifying traffic patterns (such as brute force attack) as opposed to blocking port traffic

 

[Roadki11]

I would work with my ISP and try and stop this upstream if i could. How big is the IP group that is attacking you? I have not used sonicwall forever but i thought it had a mechanism(ACL) that could block/ban IPs. If the attacking IPs are not to large i would add them to that list but this will not reduce pressure on your bandwidth as the traffic still gets to the sonicwall before its dropped. Stopping this upstream is the ticket.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[brokenhalo]

itsp: There is intrusion prevention on the Sonicwall, unfortunately the cost of adding that module is out of my clients' price range at the current time (of course). Thats why I am looking for something simple. Do you have a suggestion of a software product?

RoadKi11: Your idea is good, if in fact the intrusions were all coming from teh same place. We get various attacks from all over the globe it seems, so blocking it upstream using an RBL will minimize the impact only slightly.

Any more suggestions, or if anyone knows of any open source product I can use, would be appreciated. Thanks

Brad L.
Systems Engineer
Prestige Technologies
bradlaszlo[at]prestigetech.com

http://www.prestigetech.com

"Some things Man was never meant to know. For everything else, there's Google.

 

[58sniper]

My question is why is there a route to SQL from the outside? I can't think of any reason why SQL should be forward facing.

And SMTP? Is that going to something in IIS, or is that going to your email server?

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[brokenhalo]

We have software that we have developed that we host that requires access to SQL from the outside, but that is beside the point. And SMTP, same thing... Our software requires access to it.

Any more suggestions?

Brad L.
Systems Engineer
Prestige Technologies
bradlaszlo[at]prestigetech.com

http://www.prestigetech.com

"Some things Man was never meant to know. For everything else, there's Google.

 

[58sniper]

So people can make direct SQL and SMTP calls to your box from outside, or the application hosted on the box talks to SQL/SMTP? If it's the former, that's quite interesting. If it's the later, then block access at the firewall.

For SMTP, you could put in a gateway box that could some SMTP daemon.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[brokenhalo]

It would be wayyy too administrative intensive to try and restrict access only to those subnets who need our services from the firewall, as I would have to add rules every time one of our clients was using our application at a hotel. That is why I want a solution that simply scans certain services for invalid login attempts, then blocks the IP address of the offender. If one such as that doesn't exist, I guess I should start developing

This is why I love my Linux box's - I don't have to suffer from problems like these... Hmmmm... I guess I could put together a m0n0wall or CSF at the WAN side.

Thanks anyways, guys

Brad L.
Systems Engineer
Prestige Technologies
bradlaszlo[at]prestigetech.com

http://www.prestigetech.com

"Some things Man was never meant to know. For everything else, there's Google.

 

[NetworkTek]

I have used a software called snort. It is open source. Here is a read on it.

http://www.auditmypc.com/freescan/readingroom/intrusion_detection.asp

Network+ Inet+ MCP MCSA 2k3

 

[brokenhalo]

Excellent resource NetworkTek!!! That is exactly the type of product I'm looking for, and it seems that it works just like a m0n0wall would. You said that you have used it... Does it work well?

Brad L.
Systems Engineer
Prestige Technologies
bradlaszlo[at]prestigetech.com

http://www.prestigetech.com

"Some things Man was never meant to know. For everything else, there's Google.

 

[NetworkTek]

I have used this and it did what i needed it to do. It was time consuming to setup. However i had an instance similar to yours where calls were made to a sql from the outside in. I didn't want to do it in the first place but it wasn't my choice and ended up in a situation just like yours. Hope this helps

Network+ Inet+ MCP MCSA 2k3