Atypical hacker will try to force their way into your server by trying to log in to it using the administrator account or a known user account. Usually they use some form of script that uses random or commonly used passwords. If your passwords are complex it’s hopefully a futile attempt on their part but can you vouch for all of your user passwords? Also if the attack is quite severe a lot of failed login requests can cause a heavy load on your server.
The worst thing of all is not even knowing if someone is even trying to hack into your server on the first place. This article will take you through a free solution on how to detect if someone is trying to break into your server, how you can be alerted to the fact and most importantly how to stop them from continuing their hack attempt.
Failed Login Detection
Using the Event Viewer we can look for any failed attempts at logging in to our server. Let’s have a look and see if anyone has tried to log in to our server with invalid credentials:
- Open up the Event Viewer from Start->Administrative Tools->Event Viewer
- Expand Windows Logs and click on Security
- On the right hand side of the Event Viewer window click on Filter Current Log
- You will now see the Filter Current Log window. From the Keywords drop down select Audit Failure and click on OK
- In the Event Viewer window you may see a list of Audit Failures.
If your lucky enough to have an empty list why not try using remote desktop to log into your server using the wrong password for the administrator account and then refresh the Event Viewer window.
- If you have quite a few entries you are probably feeling quite nervous right now. It’s okay, we’re going to get this under control.
Select the first Audit Failure in your list and lets have a look at the details for the event.
From the example above we can see a few important pieces of information:
- This is a failed attempt at logging in to the server
- The username the hacker is trying to break in with is Administrator
- The IP address of the hacker is 184.108.40.206
(Just out of interest this is a real hack attempt from one of the event logs from one of my web servers)
- The great thing about this Event Log entry is that it tells us the IP address of the hacker so we can go ahead and block all access from that IP to our server.
- If the Event Log entry doesn’t have an IP Address we are going to need to do some more work before we can block them. Have a look at the article Determining A Hackers IP Address.
Failed Login Notification
- The Event Log is great at telling us when someone tried to break into our server but what we need to know is when it’s actually happening not after the fact. To help us with this we are going to set up our server to send us an email whenever there is a failed login attempt on our server. To do this we are going to use the Task Scheduler.
- However, the first thing we are going to need is a way for our server to send us an email. The Task Scheduler does include the option to send an email but it requires a lot of setup and a local email server that supports windows authentication. An alternative to this is to use a command line utility to send the email. I like to use BLAT which is lightweight and free. Download it and extract it into a folder at C:\Program Files\blat\. For the purpose of this article you should find the blat.exe located in the C:\Program Files\blat\full\ folder.
- To create a notification click on the Attach a Task To this Log action from the Event Viewer (make sure you are still looking at the security log)
- You will now see the Create Basic Task Wizard. Give the Task a meaningful name, something like Audit Logon Failure and click on Next
- You should see the Log type as Security. Click on Next again.
- Make sure Start a program is selected and click on Next again.
- In the Program/script box click on Browse and select the blat.exe
- In the Add arguments box you will need to type in the following:
- -body "Audit Failure" -subject "Hack Attempt on SERVER" -f SENDEREMAIL -to YOUREMAIL -server EMAILSERVER
- make sure you don’t miss the single dash at the start
- replace the word SERVER with your server name
- replace the word SENDEREMAIL with the email you’d like to receive the notification from
- replace the word YOUREMAIL with your email address
- replace the word EMAILSERVER with the mail server you want to use to send the email. For example if you have an smtp server on your network then use this. See the Blat documentation/FAQ for more help
- Feel free to edit the body and subject to your own requirements
- Click on Next and tick the Open the Properties check box before clicking on Finish. Your final page of the wizard should look something like this:
- After clicking on Finish you will see your task properties. Click on the Triggers tab and click on the Edit button
- Under settings select Custom and click on New Event Filter
- Set the following on the Event Filter
- By Log: Security
- Keywords: Audit Failure
- Once your settings look like the following keep clicking on OK to close all of the Task windows.
- Each time some tries to login into your server with an invalid username or password you will be sent an email. One thing to note here is that if someone runs a login script on your server you may end up with a lot of emails in your inbox! A way around this would be to put a delay on the task by editing the trigger.
Blocking The Hacker
- The final and most important step is to actually block out the hacker from your server completely. We can do this using the Window Firewall.
- Click on Start->Administrative Tools->Windows Firewall with Advanced Security
- Select InBound Rules and click on New Rule
- Select Custom and click on Next
- Make sure All Programs is selected and click on Next
- Make sure Protocol type is set to Any and click on Next
Under Which remote IP Addresses does this rule apply to? select These IP addresses: and click on the Add button
- Type in the IP address of the hacker and click on the OK button
- If you have multiple addresses you want to block click on Add to add more.
- You can also block an entire range of IP Addresses from the Add window. This is great if you want to block out your server to an entire country for example. (Search for Country IP list in your favourite search engine)
- Once you have added in your IP Addresses click on Next and then make sure you select Block the connection and click on Next
- Make sure Domain, Private and Public are all selected and click on Next
- Give your firewall rule a meaningful name, something like Hacker IP Block List and then click on Finish
- If you ever need to add any more IP addresses just edit this rule, click on the Scope tab and add them in.
Your server will now alert you if anyone tries to break into your server. Once they do you can log in to your server, determine their IP address and add it to your block list.