Is someone trying to "hack" my Windows Home Server? *Screenshot*


Recommended Posts

Hi All,

I was playing abit of TF2 tonight when my internet suddenly died and i noticed the lights on my second router flashing like mad, the only thing connected to this router is my Windows Home Server. After disconnecting the Server the internet came back up.

I checked the logs and noticed a few nu-successful login attempts around the time i was disconnected.

9h15kl.png

Does this look like someone trying to "hack" my server? maybe i killed them to much on TF2?

Any opinions would be great!

Cheers

  • Like 1
Link to comment
Share on other sites

Na i hardly use my home internet connection for anything other than gaming and hosting this server.

Its the same ip address everytime, ive now disabled the administrator account as a precaution and using a backdoor account instead.

Whats the best way to block there ip address from even attempting to login?

Cheers

Link to comment
Share on other sites

I'd just use a non standard port. I do this for ssh and rdp. Rather than using port 22 or 3389 I'll forward something like 2222 to 22 and 3333 to 3389. This generally helps.

Link to comment
Share on other sites

Been noticing Chinese IP's hitting one of my routers at various times acording to the log. They end up putting wifi enabled.

I don't have standard UID/Pass on it either, and doubt it's a reset as UD/Pass is unchanged, they are prolly just farming for computers looking for Gov stuff, as unlikely they want to see my Movie/Game collection

Link to comment
Share on other sites

Why would you have remote desktop open to the public internet?? Logon type 10 is clearly a remote interactive login attempt, ie remote desktop.

Why in world would you have that open to the public?? If you going to do such a thing then DUH its going to see traffic.. Its not actually a security method but yeah if you want to cut down on the noise in your log, use a non standard port if where you access it from has other than standard ports open. This can be an issue with using non standard ports for services. But sure it should cut down on the noise.

I would suggest you not have the service open to the public at all, why don't you require a VPN into your network to be able to network before you can remote desktop to machine(s).

As also mentioned -- just block all ips to those ports that do not need access, or at least block the countries you are sure you don't need access from. iblock provides free lists you can use for ips to block. http://www.iblocklist.com/lists.php

BTW - its sure ain't china from that IP

inetnum: 93.191.37.0 - 93.191.37.63

netname: EACS-NET1

descr: EACS Limited

country: GB

person: Carl Foreman

address: Ping Networks Ltd

address: 145 - 147 St Johns Street

address: London EC1V 4PY

phone: +44 (0)845 643 1788

Why don't you call them up and bitch ;)

Link to comment
Share on other sites

I think you're safe. This is what hacking looks like.

One more reason to hate that show. That is just absurd. Offensive even.

Link to comment
Share on other sites

Really? You are that disturbed by a tv show?

"Disturbed" might be the wrong word, but how can you not consider that piece of footage to be a mockery of the IT world? It's not the 90s anymore, people are generally savvy enough to know that two people on one keyboard is ridiculous, as well as the idea of hacking being masses of windows appearing and disappearing as the hacker copies the files. Yes, it may be just a TV show (and a bad one at that, but that's just my opinion) but they could still try to keep it slightly realistic.

Here's another one:

Link to comment
Share on other sites

Thats default on WHS I believe. You can RDP in from over the web.

You would have to open up those ports on your router(firewall) to allow that -- why would anyone do that? But yeah if you have services like this open to the public net, then they are going to see traffic.. Yes I agree that out of the box services are going to be listening - it would be the job of the admin of the box to correctly secure those.

Normally if your behind a NAT router, which I have to assume this user is he would have to open the port to forward it to the server, or he put the server in the DMZ?

Fire up a SSH or FTP server and its actually funny how much login attempts you see to them. Which is why you normally lock those down to only to be accessed via IPs that should have accesss, or a very secure login method - ie with SSH require public key auth, so can not even login with just username and password.. You require a cert, and then again to keep logs cleaner you block IPs that bang their heads against your server.

Link to comment
Share on other sites

You would have to open up those ports on your router(firewall) to allow that -- why would anyone do that? But yeah if you have services like this open to the public net, then they are going to see traffic.. Yes I agree that out of the box services are going to be listening - it would be the job of the admin of the box to correctly secure those.

Normally if your behind a NAT router, which I have to assume this user is he would have to open the port to forward it to the server, or he put the server in the DMZ?

Fire up a SSH or FTP server and its actually funny how much login attempts you see to them. Which is why you normally lock those down to only to be accessed via IPs that should have accesss, or a very secure login method - ie with SSH require public key auth, so can not even login with just username and password.. You require a cert, and then again to keep logs cleaner you block IPs that bang their heads against your server.

WHS uses UPnP to open up whatever ports that it needs.

That means that on most consumer class routers, a WHS device would be able to forward its ports without user intervention.

You are required to manually enable RDP on clients, however. WHS doesn't do that for you.

Link to comment
Share on other sites

"That means that on most consumer class routers,"

Which routers have UPnP enabled out of the box? Most companies changed their default of this from enabled to disabled many many years ago, because its a huge security risk.

If that is the case with WHS, I would have to check on this -- what flavor of WHS, 2011? That it would open up remote desktop through your router without saying boo to the person setting up would have to be on my top 10 lists of most asinine things to do!!

UPnP has its uses, and I can see why a user might enable it -- but to have it open without any restrictions or even understanding what ports could be open is just asking for it.

I have recently opened it up myself, but I have limited it to only 1 IP that can make requests (my sons ps3) which gets assigned its IP via dhcp reservation. It also is limited to what ports it can open and can only open them to its own IP. I also have interface to see exactly what ports it opens, and any traffic that gets handled by the UPnP rules created are logged.

Comes down to the admin of the network -- was the OP unaware that port was open?? Fail in administration of his network, was he aware port was open and not aware of the security risks of opening up such a service to the public internet? Again Fail on the admin.

I just do not see a scenario where its not a fail on the person owning/administrator of the server/network.

If you open up services to the public net, they will attract attention -- does not matter if your some major corp network, or just the home connection. You place common services like remote desktop, ftp, ssh, web etc on the public net and it will be attempted to be compromised sooner other than later I can assure you of that.

Allowing any sort of access to your devices from the public net has risks, as provider of such services you need to correctly address such risks and mitigate them as best you can, if you do not understand the risks or how to mitigate them then you need to ask someone who does, or just not allow the access plain and simple.

Link to comment
Share on other sites

Thanks for the advise guys, i have uPnP on on my router for my Xbox 360.

i did forward the default port for remote desktop on my firewall but looking back i should of changed the default port for remote desktop first.

I have now setup a VPN connection to the server so i can connect to that, then remote desktop in :)

Since doing all that ive had no attempts to login.

Link to comment
Share on other sites

I'd just use a non standard port. I do this for ssh and rdp. Rather than using port 22 or 3389 I'll forward something like 2222 to 22 and 3333 to 3389. This generally helps.

port scanners make this option merely a slight bump in the road... I always port scan before moving in its silly not to

Link to comment
Share on other sites

port scanners make this option merely a slight bump in the road... I always port scan before moving in its silly not to

Despite port scanners making it easy to determine which ports are open, using a nonstanard port still makes it more difficult to attack. For example, if I have port 22 open, its most likely because I have an SSH server running. However, if I have port 3333 open, can you tell me automatically what is using it? It could be SSH, VPN, RDP, or something else entirely. Although running services on nonstandard ports technically doesn't protect you, its part of "security through obscurity".

Link to comment
Share on other sites

Despite port scanners making it easy to determine which ports are open, using a nonstanard port still makes it more difficult to attack. For example, if I have port 22 open, its most likely because I have an SSH server running. However, if I have port 3333 open, can you tell me automatically what is using it? It could be SSH, VPN, RDP, or something else entirely. Although running services on nonstandard ports technically doesn't protect you, its part of "security through obscurity".

yes I should be able to it sends out a packet with certain headers it will normally return what the port is allowing (NMAP)

Link to comment
Share on other sites

yes I should be able to it sends out a packet with certain headers it will normally return what the port is allowing (NMAP)

It is still essentially a guess. An educated guess, based on experience, but a guess none the less. Regardless, most, if not all, of the attacks against a personal network will be scripted. Since port scanning takes so much extra time (assuming you scan into the high numbered ports), I'm guessing most script kiddies won't even bother. Assuming they do a port scan, running nmap on each unknown open port to guess which service is running on it would take even longer, and is therefore even less likely to be checked. As BudMan said earlier in this thread, putting services on nonstandard ports does drastically decrease failed login attempts from unknown locations; that is a fact. However, you definitely have a point. Using nonstandard ports is not really a security measure. For mid-to-large size corporations, who are more likely to be targeted specifically, its probably not even worth the effort.

Link to comment
Share on other sites

It is still essentially a guess. An educated guess, based on experience, but a guess none the less. Regardless, most, if not all, of the attacks against a personal network will be scripted. Since port scanning takes so much extra time (assuming you scan into the high numbered ports), I'm guessing most script kiddies won't even bother. Assuming they do a port scan, running nmap on each unknown open port to guess which service is running on it would take even longer, and is therefore even less likely to be checked. As BudMan said earlier in this thread, putting services on nonstandard ports does drastically decrease failed login attempts from unknown locations; that is a fact. However, you definitely have a point. Using nonstandard ports is not really a security measure. For mid-to-large size corporations, who are more likely to be targeted specifically, its probably not even worth the effort.

indeed, but I never use scripts though I am not that skilled on gaining entry I am extremely skilled in information building, working network layouts, weak spots ect but ye all i do is a quick scan of all the ports does not take that long if people were smart they would turn off incoming SSH and just have internal especially if its just a home server

Link to comment
Share on other sites

"Using nonstandard ports is not really a security measure."

I wanted to QFT this!!!

But I agree it can reduce the amount of hits you see, as stated already lots of noise you will see once you place a service on the public net will be scripted so if your on a non standard port, you will normally see less traffic to your service.

But again -- this is NOT a security measure, its just a way to keep your logs cleaner!!! You will more than likely see traffic -- so you still have to be secure, its just you can remove the traffic from the BS scripts looking.

  • Like 1
Link to comment
Share on other sites

This topic is now closed to further replies.