Security Intrusion Stoppage - Open Source Solutions - Windows Audit Failures

Forums › IT Pro and developers › Security Intrusion Stoppage - Open Source Solutions - Windows Audit Failures - Event ID 4625

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#240060 18-Aug-2018 12:59

I've got multiple Windows 2003, 2008, 2012 etc servers - on the internet. We do the normal hardening, change RDP ports, kill port 135 from external etc but still get truckloads of Windows Audit Failures - Event ID 4625 in the security logs. Microsoft doesn't have many native tools to deal with this and as a hardcore Linux user was missing iptables, fail2ban,rkhunter and a raft of other tools. So I went looking. I'm not adverse to spending money but am an open Source fan.

So ... I've been trying a couple of open sourced solutions to see how they go. Wanted to just tag them up here for others to look at:

Tweaking.Com - Remote Desktop IP Monitor & Blocker.

URL: https://www.tweaking.com/content/page/remote_desktop_ip_monitor_blocker.html

Watches ports and blocks them depending on rules.:

I've set this up to watch the RDP port and let me know if someone tries to connect / log on. I can see what addresses did log on and if i want send it to be blocked. It is a blunt little tool but it gives me comfort knowing what IP's have logged in via RDP.

IPBan: - Monitors failed logins and bans ip addresses on Windows, Linux and MAC. Highly configurable, lean and powerful.

URL: https://github.com/jjxtra/IPBan

Allows you to set up rules. I've got it set up to watch the Security logs on a windows server. If event 4625 (failed login) occurs it logs the failure. If an ip address does it too often it gets banned. You can also get banned using a log in name not on the whitelist. I invoked it on myself - a bit like cutting off the branch you are sitting on I know ) then used the secondary ip to re-log in again. Worked well for banning, unblocking, white listing and getting nasty on user names not in the white list.

It is setup as a service on my server.

The configuration is in a txt file and is xml based. It requires a bit of careful reading but if i can work it out (took 5 minutes) then any one can.

If it works for you remember to donate. The authors are worth supporting for giving such great tools.

Any other favourites out there?

1 | 2 | 3 | 4

1396 posts

Uber Geek
+1 received by user: 974

ID Verified

Trusted

#2075287 18-Aug-2018 13:14

fail2ban - Easy powershell script to add IPs to firewall triggered on failed logon event id.

iptables - Windows firewall / any firewall of choice.

rkhunter - Windows Defender / Any modern Antivirus with IPS.

Changing the RDP port and still leaving it exposed to the internet is like changing the type of door lock your house has but still leaving it unlocked. It's next to useless in security and I'm sure the likes of shodan.io has RDP listed against your servers.

Having remote management exposed to the internet is a stupid idea which is just asking to be exploited on any OS. 2003 is a 15 year old operating system that's end of life and stopped receiving security updates over 3 years ago, I would be treating any 2003 box that's exposed to the internet as infected as there are multiple exploits available that have not been patched.

<#
.DISCLAIMER
Anything I post is my own and not the views of my past/present/future employer.
#>

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2075617 19-Aug-2018 10:33

Yup, exposing RDP to the internet is just plain silly. Use a VPN or a VPN Portal. Even better a portal with 2FA. Even better if you have a firewall with Geo-IP based rules (that stops a whole lot of bad stuff real quick).

amanzi

Amanzi
1354 posts

Uber Geek
+1 received by user: 332

ID Verified

Trusted

Lifetime subscriber

#2075708 19-Aug-2018 12:05

nunz: I've got multiple Windows 2003, 2008, 2012 etc servers - on the internet.

I'm really interested to hear the use-case here.

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#2078734 24-Aug-2018 20:14

Andib:

fail2ban - Easy powershell script to add IPs to firewall triggered on failed logon event id.

iptables - Windows firewall / any firewall of choice.

rkhunter - Windows Defender / Any modern Antivirus with IPS.

Changing the RDP port and still leaving it exposed to the internet is like changing the type of door lock your house has but still leaving it unlocked. It's next to useless in security and I'm sure the likes of shodan.io has RDP listed against your servers.

Having remote management exposed to the internet is a stupid idea which is just asking to be exploited on any OS. 2003 is a 15 year old operating system that's end of life and stopped receiving security updates over 3 years ago, I would be treating any 2003 box that's exposed to the internet as infected as there are multiple exploits available that have not been patched.

Having server 2003 directly exposed on the internet is your idea not mine. Just because I didn't list the firewall tables rules etc - when listing a couple of tools I found helpful to check things haven't wiggled past my defences - doesn't mean I haven't done it.

The 2003 requires going through two proxies / firewalls with heavy rules to get there, the only directly exposed one is a public mail server. However assuming that my defences are not breached would be an assumption I don't want to make.

Instead of gobbing on the post - how about getting into the spirit of it and actually providing some positive examples of good tools that might help others.

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#2078939 25-Aug-2018 11:28

amanzi:
nunz: I've got multiple Windows 2003, 2008, 2012 etc servers - on the internet.
I'm really interested to hear the use-case here.

Gave a really good full answer - blooming cloudflare blocking posting answer. Arrrgghh!!!

and now the copy is gone - it lets me put this simple answer through.

In short:

Server 2012. On internet direct as is a mail, webweb, chat, caldav, webdav server. RDP moved. IP blocks on rdp to 2 locations, uptime robot (https://uptimerobot.com/) scanning all ports / services that are meant to be active. Cant get it behind vpn or similar by the nature of the services offered. The tools mentioned above make it easier to see intrusion attempts and block them - similar to fail2ban. Linux grep with its ability to grep logs, ufw, iptables output makes logging easier than waiting eons for windows logs to populate, filter and sort themselves. Heaven help clients who misauthenticate too many times. need me to get them access again. rules are x failures in 5 minutes = 5 minute ban. Kills most script kiddie attempts. Trip that rule 3 x in 24 hours nad 7 day ban. 3 seven day bans = lifetime ban. all scriptable using the softwar ementioned above.

server2003 - hidden behind a firewalll and proxie limiting who can access it. Required for old SAP which didn't survive upgrade to windows 2008. client doesn't see paying hundreds of dollars per month for something trhey already purchased makes sense.

Server 2003 virtual instances of several server 2003 boxes backed up at block level for disaster recovery. Cant hide them behind proxies etc - so services turned off and firewall rules put in place. however they are mostly left turned off but when on want better logging to proactively detect script kiddies and other annoyances. Mostly legacy software that doesn't survive upgrades.

Server 2008, server 2012, windows boxes behind firewalls and with limiting rules in place. however some need to be rdp accessed from road warriors so lots of logging and proactive ideal to get ahead of attempts to break in. RDP moved to different ports and security protocols in place but the servers are still accessible so prefer to log just in case people get past the defenses.

Windows xp machines - need remote access. Embedded XP running mitsubishi laster cutters, XP used for serial based DOS software that didn't survive upgrade to windows 7 or higher. Heavily locked down via front end firewall but need to be checked in case people get past systems.

Inter office vpn using open vpn and fritzbox vpn - but as new hacks are always being discovered prefer to have a few trip wires and alarms left behind just in case.

There are lots of cases where clients must have stuff exposed. A VPN is sometimes a good start but it is itself an open port and hackable or open to try hards attempting to get in. Monitor and block.

linux iptables, ufw, logs with greppable output make checking all these things easier. Simple scripts like unBanIP.sh <internet address> make management easier. Harder to implement on windows boxes.

I like linux as if people try to log into ssh, web servcies, ldap etc using certain user names can kill them instantly. Much harder to do under Windows.

Basically: Hardened security is one thing. But if you aren't monitoring it then it is like backups you haven't checked. it will bite you. The tools above make monitoring and proactive actions much easier.

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#2078946 25-Aug-2018 11:45

Oh God

You're not on Atlantis anymore, Duncan Idaho.

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#2078950 25-Aug-2018 11:55

Andib:

f...

Changing the RDP port and still leaving it exposed to the internet is like changing the type of door lock your house has but still leaving it unlocked. It's next to useless in security and I'm sure the likes of shodan.io has RDP listed against your servers....

shodan.io has only one of my servers in it, the main public mail server. The main internet facing server doesn't show rdp ... so nope - RDP not showing anywhere.

Like i said - we do good work and haven't been breached once in 20 years. It did pick up the deficient huawei router from Spark Business at one location. As have fed back to spark their port forwarding and rules section leaves something to be desired and fails in certain situations. In this case responding on the web management interface. Should be fun for who ever tries to access it as it is pointed at a linux firewall behind it doesn't show.

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#2078953 25-Aug-2018 11:59

MadEngineer: Oh God

?? you seem to have me confused with The Deity. Close resemblance but no where near as potent,present or knowledgeable. you'll have to give me a clue to guess what you mean.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2078973 25-Aug-2018 13:05

Why do you think having RDP "behind a firewall" makes any difference?

And if your VPNs are "hackable" then you're doing it wrong.

I could tell you what he mean't by oh god... but I think the language might be inappropriate :D

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#2078981 25-Aug-2018 13:26

vulcannz:

Why do you think having RDP "behind a firewall" makes any difference?

And if your VPNs are "hackable" then you're doing it wrong.

I could tell you what he mean't by oh god... but I think the language might be inappropriate :D

Having RDP behind a firewall means i have all the fancy stuff a firewall offers to allow more control. It lets me allow only certain ip addresses access, before they get to the server and deal with the windows firewall. by the time you get to the windows firewall you are already at the server - a frewall stops that early. It allows me to setup VPN - Linux allows openvpn, ssh tunneling and a raft of other options to wrap around any connection before you get to the server. Logging on a dedicated firewall is much better than on a windows or other type of machine. Access to black lists and auto updates can happen on a firewall. There are a raft of reasons to use a firewall in front of the RDP.

VPNS require access to a port. DOS, DDOS, Portfail, IKE hacking, and a raft of other man in the middle exploits can be used against a vpn. similarly if someone gets access to a users systems they can exploit the vpn as many folks use it is an open door way assuming that if you got in you must be a valid user. Any open port is an increase in your attack surface. VPNS are as hackable as any other port. They are a service offered through a port, run by software created by fallible human beings.

Firewalls also allow better management of wireless access points. Many WAPs are directly on the router, so once you are into a wireless access point you are on the network. Checking the MAC of people accessing your WAP means you can kill wrong connections dead before they get to try out RDP or other services.

Security is a layered approach. Microsofts instructions dont offer a lot of help with RDP other than the advice to use a proxy (thus a firewall or similar is useful) using the security certificates and forcing certain levels of client level and encryption levels.

Some of my clients are in extremely bad areas from a security perspective. A pre-connction to a firewall allows them access to services from countries I wont mention. The packets are then rerouted from there to a hidden server for secure comms. Any one interested in what is at the end of my clients connections can not see what services are available as I have locked the end server to only respond to valid and authenticated connections from the firewall server. it reduces my attack surface to a single port while offering a variety of services.

Lastly - a firewall can go down or be laggy owing to a DDOS or DOS attack without compromising the activities of the server. Outside folks may experience delays or outages but the LAN based folks cant tell the difference as their server is not reeling from too much traffic. The RDP enabled server will show no adverse affects even if the firewall is bought to its knees. Not all users are external to the LAN. firewalls take the network security load off the server. Internal users might lose access to the internet but the main server is just fine.

As to trying to explain - if you cant do it without bad language then you probably ddont have a reasonable case to make.

It astounds me how often people on GZ take a positive post (e.g. saying someone has found something useful) and gob all over it. NZ has become a country full of knockers who take the piss but cant back up their statements with any form of valid argument or discussion skills.

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#2079007 25-Aug-2018 14:22

People are giving you a hard time because you a solving a problem you could have avoided in the first place if you had done it right.

You already have server 2012, look into the following roles: NPS, WAP, Remote Desktop Gateway. You could then have RDP via SSL, port map only port 443 through the firewall, and install MFA extension for NPS which would get you additional protection against brute force password guessing.

Lego

Shop now for Lego sets and other gifts (affiliate link).

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2079046 25-Aug-2018 14:44

I know what a firewall does, more than you might consider.

My point is with RDP it is not usually a case of a DoS or DDoS attack, it is usually brute forcing from many IPs (that's how those attacks go these days, single IP attacks are rare). VPNs are not susceptible to attacks, you need to know the PSK and username and password. + the firewall/vpn device can deal with brute force attempts. If your firewall is lagging then you once again are doing it wrong.

and if people are getting into your WAP... that's a whole nuther thread ;) (here's a hint, it takes a minute or two to find a valid mac address and spoof it).

You are overcomplicating things. That in itself makes you more likely to be hit. RDP over SSL as mentioned above is a great solution, or a firewall with an SSL portal, or a plain old vpn with 2FA.

Some of this stuff costs a little more, but if you're spending a lot of time plugging the dyke with your finger then you might end up saving time and $$$ with some decent gear.

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#2079047 25-Aug-2018 14:50

gbwelly:

People are giving you a hard time because you a solving a problem you could have avoided in the first place if you had done it right.

You already have server 2012, look into the following roles: NPS, WAP, Remote Desktop Gateway. You could then have RDP via SSL, port map only port 443 through the firewall, and install MFA extension for NPS which would get you additional protection against brute force password guessing.

Didn't know any of the above change firewall rules interactively to stop hackers based on logged failures. can you tell me which one does? Remember I also have web, mail, caldav, webdav and chat ports open on the same server.

My Smartermail server is - a single 2012 server exposed to the internet to serve mail and webmail and activesync services. Adding NPS roles to it still doesn't get me firewall banning as far as I can see. Please correct me if I am wrong.

Also port 443 is tied up with smartermail services so wouldn't work for RDP as well. Using RDP with security certs and other policys makes as much sense as any.

Using the tools above gives me a greater range of options to deal with all sorts of cracking attempts and ban IPs.

Server 2003, server 2008, Windows XP don't have : NPS, WAP, Remote Desktop Gateway. so that's a no go for that option. however the tools suggested above do give some options.

But feel free to prove me wrong. Tell me how I can implement active firewall rules based on server logs, banning crackers etc - especially dipsticks using wrong user names to brute force stuff, using your tools on server 2003, 2008, 2012, Windows XP and Windows 7 / 10 machines.

Or is is possible, out of the goodness of my heart I decided to share info about a product i found useful but people here decide pissing on me is a much more positive thing to do.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2079048 25-Aug-2018 14:54

Nunz I guess from my point of view you can pay for stuff which would save you heaps of time. But if you are giving away your time I guess it doesn't compete.

nunz

1421 posts

Uber Geek
+1 received by user: 314
Inactive user

#2079050 25-Aug-2018 15:06

vulcannz:

I know what a firewall does, more than you might consider.

My point is with RDP it is not usually a case of a DoS or DDoS attack, it is usually brute forcing from many IPs (that's how those attacks go these days, single IP attacks are rare). VPNs are not susceptible to attacks, you need to know the PSK and username and password. + the firewall/vpn device can deal with brute force attempts. If your firewall is lagging then you once again are doing it wrong.

and if people are getting into your WAP... that's a whole nuther thread ;) (here's a hint, it takes a minute or two to find a valid mac address and spoof it).

You are overcomplicating things. That in itself makes you more likely to be hit. RDP over SSL as mentioned above is a great solution, or a firewall with an SSL portal, or a plain old vpn with 2FA.

Some of this stuff costs a little more, but if you're spending a lot of time plugging the dyke with your finger then you might end up saving time and $$$ with some decent gear.

Or i found a small tool, that makes adding auto rules for hacking attempts easy. and shared it. Doesn't mean it is the end all and be all of everything. This was never a primer on how i do things it was a tool i found to deal with a small problem that was useful and shared. End of story.

Yes - spoofing a mac is easy. I was wardriving before most IT guys were born and cracking before there was an internet (started apple iie). Have demonstrated those techniques. But adding one more layer of complexity reduces the numbers of those able to take the next step. Lots of script kiddies can run JohnTheRipper or Aircrack etc but less can spoof a mac and of those that can then less can take the next step etc etc etc. Layers.

The RDP and other port mess we see ARE from single IP addresses. They are script kiddies having a crack. Banning their IP address removes that annoyance and the tool shared makes it simple to weed those pests out.

Its the same with our websites. Lots of script kiddies trying to brute force passwords and log ins. Those that find an admin portal get logged. Those that use root or admin or other user names get instant bans. Those that fail login 3 times get timed out then, after 3 strikes, banned.

Simple tools to deal with the mess. Those that get past the basics and get inside then get hit with tripwire, fail2ban, sudo logs, file change watchers, unprivileged user access on all apps and all sites, jailed root / user access where applicable. They get logged, dropped and we get notified.

20 years. No hacked sites bar two we bought in from outside sources. We put them on their own VPS and went to work fixing them before letting onto our main servers. They got shot to hell and gone before we fixed them - now no problems. however they were no problems to us as we took the proper precautions and kept them in isolation until sorted.

The tool above is a simple way to deal with a simple problem. it requires beggar all setup and is handy to know about. Knowledge is power. Pissing on people trying to share something they found helpful is just plain old fashioned rude and a bad look. Judging what you dont know is ignorance.

1 | 2 | 3 | 4