Account Lockouts and Failed Login Attempts from Denmark?

reaser · Post by **reaser** » Mon Jan 04, 2010 12:05 am

For the last few hours I am getting notifications from one of my SBS2003 servers about an Account Lockout. I checked event viewer and found the failed security audits from IP Address 80.199.117.133. Also Event ID: 20111 RemoteAccess A Demand Dial connection to the remote interface Small Business Broadband Connection on port PPPoE5-0 was successfully initiated but failed to complete successfully because of the following error: The remote computer did not respond. For further assistance, click More Info or search Help and Support Center for this error number.

I looked the IP up and found this:

inetnum: 80.199.117.128 - 80.199.117.255
netname: FORSVARETS-MEDIECENTER-NET
descr: Forsvarets Mediecenter
descr: Dannesk Samsoees Alle 1
descr: 1434
country: DK
admin-c: JC3860-RIPE
tech-c: JC3860-RIPE
status: ASSIGNED PA
mnt-by: TDK-MNT
source: RIPE # Filtered

person: Jan Carlsen
address: Forsvarets Mediecenter
address: Dannesk Samsoees Alle 1
address: 1434
address: DK
phone: +45 51171474
nic-hdl: JC3860-RIPE
mnt-by: TDK-MNT
source: RIPE # Filtered

% Information related to '80.196.0.0/14AS3292'

route: 80.196.0.0/14
descr: TDC Tele Danmark
origin: AS3292
remarks: +---------------------------------------+
remarks: | For abuse and security issues contact |
remarks: | csirt@csirt.dk, http://www.csirt.dk |
remarks: +---------------------------------------+
mnt-by: AS3292-MNT
source: RIPE # Filtered

I sent an email to the abuse address. What else can I do to stop these attempts as well as find out who is making the attempts.

Post by **YeOldeStonecat** » Mon Jan 04, 2010 11:45 am

My first question would be...what ports are open/forwarded to the SBS box via your firewall?

reaser · Post by **reaser** » Mon Jan 04, 2010 3:22 pm

Looks like standard ports:

21
25
42
53
80
110
135
139
143
389
443
445
993
995
3389
5800
5900
6001

These results were found using Langaurd Network Scan.

Post by **YeOldeStonecat** » Mon Jan 04, 2010 3:33 pm

What services need to be available on the public side?
All of my SBS setups only have
443
4125
and port 25 only to their SMTP smart host.

reaser · Post by **reaser** » Mon Jan 04, 2010 3:53 pm

aside from 443 and 4125 which are for rww? and 25 the only other thing needed is 5900 for remote connection as a backup to rww. i occasionally use ftp but not often.

Post by **YeOldeStonecat** » Mon Jan 04, 2010 8:39 pm

Is this server in the DMZ? Can you check your firewall to confirm if it is or not, or at least to confirm all the port forwardings? I'm blown away by all those ports..I mean...port 139...why would someone open/forward that port to a server..it's suicide!