TransWikia.com

Unknown IP address trying to log on to my web server

Super User Asked by Andrew Morton on December 13, 2021

I am getting a few hundred failed logon attempts every hour on my web server running on Windows. I can see that because I enabled auditing of failed logon attempts.

In Windows Event Viewer, the log entries do not not show an IP address that I can block:

An account failed to log on.  
  
Subject:  
    Security ID:        NULL SID  
    Account Name:       -  
    Account Domain:     -  
    Logon ID:       0x0  
  
Logon Type:         3  
  
Account For Which Logon Failed:  
    Security ID:        NULL SID  
    Account Name:       administrator  
    Account Domain:       
  
Failure Information:  
    Failure Reason:     Unknown user name or bad password.  
    Status:         0xC000006D  
    Sub Status:     0xC000006A  
  
Process Information:  
    Caller Process ID:  0x0  
    Caller Process Name:    -  
  
Network Information:  
    Workstation Name:   -  
    Source Network Address: -  
    Source Port:        -  
  
Detailed Authentication Information:  
    Logon Process:      NtLmSsp   
    Authentication Package: NTLM  
    Transited Services: -  
    Package Name (NTLM only):   -  
    Key Length:     0  

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

How can I find out what IP address is trying to break into my server? How can I block these logon attempts?

One Answer

If you have remote desktop access to your server, you can use a tool like Wireshark to inspect the network traffic on that machine and track down the relevant data. For this answer, you will need GUI access.

To prepare, in Event Viewer open the "Audit Failure" section and double-click on the line with Event ID 4265. That will take you to the "Summary page events" page. As new failed login attempts happen, it will show something like "New events available" – click "Refresh" in the panel to the right to clear that notice.

Then start Wireshark. More sophisticated users may wish to write a capture filter; I just jump straight in. The blue shark fin button starts capturing packets.

To keep the amount of displayed information down, you can enter this in the "Display filter" of Wireshark:

ip.dst == a.b.c.d && ip.src != w.x.y.z

where a.b.c.d is the IP address of the computer being attacked and w.x.y.z is the IP address of the computer you are remoting in from.

When Event Viewer shows "New events available", click the stop button in Wireshark. This helps to narrow down what might otherwise be an overwhelming amount of data to sift through. You can always stop the capture, not save it, and start a new capture if the timing doesn't work out.

You are looking for a line in Wireshark like this where the source IP address is something you don't expect, and/or an Info that says something like "Client Hello":

No.     Time           Source                Destination           Protocol Length Info
   2020 4.152174       13.76.180.66          a.b.c.d               TLSv1.2  159    Client Hello

Select that line, then look in the pane below it to see more information about that frame, for example (with the sections collapsed):

Frame 2020: 159 bytes on wire (1272 bits), 159 bytes captured (1272 bits) on interface DeviceNPF_{4C6C62E6-3970-46FE-B369-3B0DF304B6E4}, id 0
Ethernet II, Src: [snip], Dst: [snip]
Internet Protocol Version 4, Src: 13.76.180.66, Dst: a.b.c.d
Transmission Control Protocol, Src Port: 33191, Dst Port: 5986, Seq: 1, Ack: 1, Len: 105
Transport Layer Security

Notice the Dst Port: 5986 part. A quick search for what uses port 5986 tells us that the attacker is trying to get in to WinRM 2.0 over HTTPS (WinRM = Windows Remote Management, as far as I can guess). A look on a service like AbuseIPDB can confirm already-known sources of attacks. There is a "Windows Firewall with Advanced Security" rule for that already (named "WinRM HTTPS"), so you can make the appropriate changes to that to secure the server.

At this point, you might want to make the Wireshark display filter more specific, so you can add the port to it:

ip.dst == a.b.c.d && ip.src != w.x.y.z && tcp.port == 5986

and see the attacker failing.

The important point is to secure the WinRM access, remembering that there are legitimate uses for it so you don't want to block those.

Answered by Andrew Morton on December 13, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP