MMJII
Guest
|
 Posted:
Fri Jan 14, 2005 2:38 am Post subject:
How to stop suspected hackers activity? |
|
|
Hello All,
I have a Win SBS 2003 server that is on a dlink router. The server is
accessed via ipsec vpn for RDP.
In the event log I am noticing Security logon/logoff failure (event 529)
due to bad username, or password on the Administrator acct.
I don't have the sever in the DMZ on the router, and the OWA is setup for
access on the ip address of the vpn i.e. 192.168.20.20
The event msg says
Logon type 3
Logon Process: NtLmSsp
Authentication Package NTLM
Source network Addres 151.196.62.240
I am wondering how someone can access this server from the internet when I
do not have the server in the DMZ zone?
I have the server internal (nat ip) address in the router as a "virtual
service" which will allow outside users to access the servers services, but
again this access is with a vpn connection.
When I try to access the server with the real ip address that is assigned to
the wan port of the router I get You are not authorized to view this page
HTTP error 403.6, so I was under the impression that I was pretty safe.
Any ideas are GREATLY APPRECIATED!!!!
Thanks
MMJII |
|
Roger Abell
Guest
|
| Posted:
Sun Jan 16, 2005 2:26 am Post subject:
Re: How to stop suspected hackers activity? |
|
|
I believe you need to reexamine how you have things defined
in the router. It appears that first obtaining a VPN connection
is not being required in order to get to the server.
| Quote: | When I try to access the server with the real ip address that is assigned
to
the wan port of the router I get You are not authorized to view this page
HTTP error 403.6, so I was under the impression that I was pretty safe.
|
seems to confirm this, since one should be getting a server not
found error in the client browser, not a message from the webserver.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"MMJII" <m@a.com> wrote in message
news:uZEG5$a%23EHA.3368@TK2MSFTNGP15.phx.gbl...
| Quote: | Hello All,
I have a Win SBS 2003 server that is on a dlink router. The server is
accessed via ipsec vpn for RDP.
In the event log I am noticing Security logon/logoff failure (event 529)
due to bad username, or password on the Administrator acct.
I don't have the sever in the DMZ on the router, and the OWA is setup for
access on the ip address of the vpn i.e. 192.168.20.20
The event msg says
Logon type 3
Logon Process: NtLmSsp
Authentication Package NTLM
Source network Addres 151.196.62.240
I am wondering how someone can access this server from the internet when I
do not have the server in the DMZ zone?
I have the server internal (nat ip) address in the router as a "virtual
service" which will allow outside users to access the servers services,
but
again this access is with a vpn connection.
When I try to access the server with the real ip address that is assigned
to
the wan port of the router I get You are not authorized to view this page
HTTP error 403.6, so I was under the impression that I was pretty safe.
Any ideas are GREATLY APPRECIATED!!!!
Thanks
MMJII
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in