Sign in with
Sign up | Sign in
Your question

How can I obtain the IP address of a Brute Force attacker on my network?

Last response: in Business Computing
Share
May 23, 2013 10:41:40 AM

Hello All,

I work for a small managed service provider and have been in the IT field for about one year so I am admittedly still a bit wet behind the ears. I noticed the other day that there have been a very large ammount of failed attempts to login using different user names such as root, admin, administrator, etc. It is quite clear to me that this is an attempt to gain access to the server via Brute Force. The problem is the logs do not identify an IP address or even a port that I can use to block the attacker, I did however get a process ID that led me back to an executable called Inetinfo.exe, this is apparently used by IIS for debugging. Anyways, I digress, I would really like the opportunity to impress my boss by getting this issue resolved but I do not know how to gain identifiable information that I can use to block the attempts to gain access to our clients server.

P.S. I forgot to mention that the server is running MS Server 2003 as an OS. Any help would be appreciated.

Thanks!
May 23, 2013 10:54:46 AM

Even if you do find the IP address, it is probably not 'him'. He is probably using a zombie to launch the attack from. That is the IP you'd see. Some poor schmo that doesn't know his machine is compromised.
m
0
l
May 23, 2013 11:04:00 AM

USAFRet said:
Even if you do find the IP address, it is probably not 'him'. He is probably using a zombie to launch the attack from. That is the IP you'd see. Some poor schmo that doesn't know his machine is compromised.


I suppose that does make sense..HMMM I was hoping to avoid locking down port 3389 because my team often works from home but it appears as though I will have to do so, thanks for the advice!
m
0
l
Related resources
June 7, 2013 6:14:26 AM

Your best solution is to set up a VPN connection for your remote users. Once VPN is authenticated, then they can authenticate again with RDP to the machine.
m
0
l
July 21, 2013 6:56:00 PM

If you don't need RDP, turn the service off and block the port at the firewall. If you need the service, try changing ports.

All of my servers which have RDP enabled see people try brute force logins quite frequently. No one ever gets in, it's funny to see them try. This is VERY COMMON on the internet. Just create a strong password and you should be fine.
m
0
l
July 21, 2013 9:11:48 PM

All of the above are pretty good points to bring up. All in all, finding the IP address that is sending the brute force attack might not actually find the source, so it might not be worth your time to try and track back. It would be good, though, to find the IP address and see if it is changing regularly (dynamic IP) and see if it is linked to any of the major Proxy services out there or if there is any information you can gather by that IP (such as the ISP.) However, it's mainly just for your own documentation.

There are a couple ways of solving this. One method would be to change the standard ports that you need to other non-standard ports and use PAT (Port Address Translation) to get those open ports to the right internal ports. The other option is to set up an encrypted secure VPN for remote users. This is a more secure option, but requires some more work to set up and of course you have to be sure your hardware and software supports it. It would be recommended, though, that you start off by moving the external port for Terminal Services to something else and set up PAT in your router and firewall. Then, work on setting up what you need for encrypted VPN.
m
0
l
!