I had my server under 2 firewalls. One from my router and one from my windows server. Only VPN port was acccessible. Recently I was getting failed login attempts daily with changing usernames from svchost.exe. I thought it was just a scheduled task failing to execute as it had no IP details. IAS is not set up but it says process id is IAS. Digging deep for analysis, I found failed login attempts from an IP which is marked malicious on multiple websites. Its location is russia, and is surely a bruteforce attack. I want to know which port is being used and how requests are being sent as only local ip adresses are allowed to connect to server. No port is given.
Asked
Active
Viewed 43 times
1
-
2Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Swisstone Mar 15 '20 at 11:26
-
3no, my server is not compromised. it is under bruteforce – Bhavya Gupta Mar 15 '20 at 11:43
-
2If your VPN uses NPS for its authentication, then this is an attack against the VPN. As the VPN port is open to the world, that would be normal. You could add some GeoIP based restrictions, and make sure you only use strong passwords. – Esa Jokinen Mar 15 '20 at 12:17
-
I can not find a native solution for geo-blocking. do you have one? – Bhavya Gupta Mar 15 '20 at 12:38
-
I don't think that there are native ways to do this, you'll have to utilize a 3rd party product to do that. The GeoIP information is not really relevant in this case, you'll want to block anyone who is logging on with a wrong password from the same IP multiple times - you should find that IP in the IAS logs? I found an article that loosely relates to what you are experiencing - not 100% sure if you can adapt it? https://www.eventsentry.com/blog/2017/12/securing-exchange-server-owa-activesync-proactive-security-with-eventsentry.html – Lucky Luke Mar 15 '20 at 18:12