If this was Linux there are scripts Fail2Ban for bad behaving clients.

I quick google search turned up this http://sourceforge.net/projects/qaaswall-window I have no clue of the efficacy of this software. But you are not the first person searching for this function.

The other way to stop this is by putting an IDS/IPS device between the server and the trouble making clients. Let the IPS system do the IP banning for you.

More options here: http://serverfault.com/questions/43360/cygwin-sshd-autoblock-failed-logins/43900#43900

https://github.com/EvanAnderson/ts_block

Thanks George.

I was hoping to find a GUI app if possible.

I'll take a look at what you've suggested.

Cheers,

I am wondering what firewall do they have in front of the windows servers? And if that firewall can stop these attacks from getting to the servers?

Josh_Cunning wrote:

I am wondering what firewall do they have in front of the windows servers? And if that firewall can stop these attacks from getting to the servers?

IMO: I standard firewall would not give him what he needs. A traditional firewall is either a go, no-go device based on its rules. What he needs is a pass-through device until a certain condition is reach then to block the offending address. This could be done with a traditional IPS/IDS system, that would monitor (externally) for authentication failures, then upon a certain threshold would craft a specific rule to block that address, either forever or for a certain amount of time. The IPS system typically would be installed between the server(s) and the clients trying to connect to them.

Thanks Geoge helping me get better understand. Networking isn't my strongest area of knowledge.

I think the better option is Tarpit/Teergrube.

http://en.wikipedia.org/wiki/Tarpit_(networking)

Have a look at his solution ?

http://www.syspeace.com

if you have a go, no go, device you need to upgrade your device period. Firewall is the answer.

Juffe wrote:

Have a look at his solution ?

http://www.syspeace.com

So, it's basically Fail2Ban for Windows? :)

We recently implemented Fail2Ban for our hosted @Mail server. The first couple of days, we were banning 30-50 IPs every day. (omg, right?) Now we're getting about 4-5 IP's per day. We're undecided on how we want to interpret those results entirely, but we feel is a serious step in the right direction.

FWIW, we set it to 5 failed attempts in an hour, ban for 24 hours. The size of our infrastructure and user base does not fluctuate much, so we don't feel this is going to impede anyone. We're actually contemplating if we should go with 5 failed attempts in 24 hours, ban for 24 hours. We're discussing where the line is between due diligence and overkill lol!

I'm with George on implementing an IPS system.

If you try to update the firewall manually to block these attacks the attacker can simply change their IP address (very easy with programs like TOR) and they are able to keep on attacking until you notice the new IP and block that one, and it just becomes a vicious cycle.

With an IPS system, you set the thresholds and the action the IPS should take, and the IPS will do the rest of the work, automatically blocking any IP addresses that meet your requirements. You can also set the IPS to send email notifications when it detects an attack, blocks a new IP address, etc. Take a look at Snort, it is a great free IPS solution that will run on Windows and UNIX/Linux based machines.

Yep :-) I guess you could call it fil2ban for Win . The upside is that there is also a GUI for it and it's a bit more granular whne it comes to rules and various settings and I like that it also gives me an email stating the DNS name, country of iorigin and what username was used so I can quickly see if it's a legitimate user or not being blocked nd can ct on it.

The dowonside to a lot of the scripts out there are tht they don't really provide that much info .

I also had a look at Snort ctually but for my needs syspeace does what I need it to

Juffe wrote:

Have a look at his solution ?

http://www.syspeace.com

I just installed this and it seems to be working great on Server 2008. I've emailed them to find out about multiple licenses.

Not to be a "killjoy" in this discussion but I have to inject my two cents regarding the very narrow focus that has been given to this one attack vector.

If you are seeing password attacks, what makes you think that ONLY password attacks are being perpetrated on these servers? You can bet that many other potential vulnerabilities are being probed and potentially exploited that are not showing up in Windows event logs as login failures.

Shaun8204 and John2956 , I don't know what your level of expertise is but do your clients a service and seek advice from a competent security professional who is able to receive all the confidential details about what you are trying to protect. Evaluate the client networks and do a risk analysis that will point to the appropriate compensating controls that are needed.

Focusing on closing one attack vector that is "noisy" may simply be a distraction from the real attacks that are very subtle and need more comprehensive monitoring agents than a product like Syspeace. Take a look at AlienVault 's OSSIM and Trend Micro's OSSEC. Both are open source, have community editions and are quite comprehensive. They are more complex and require time and effort to implement but are "industrial strength" products.

Just my two cents and no offense intended to all of the contributors who have proposed solutions.

I think you're absolutely right, DataDigger. Brute force blockers do not cover all of the security threats, but some. They should always be used in combination with host- or network-based firewalls and IDS/IPS solutions. Some information is available ONLY on the host system, like invalid logins. It's not a firewalls or network based IDS/IPS systems' job to track invalid logins, so it makes absolutely sense to install an on-host solution to cover this issue.

One problem of log analysis is that Remote Desktop does not log the client IP address to the Windows event log when using TLS/SSL and high encryption. We recommend Cyberarms IDDS to our clients, because unlike others, this brute force blocker is able to cover this issue. Have a look at http://cyberarms.net, there is also a timely unlimited free edition

Ipban for Windows is free. Just Google it.

http://www.digitalruby.com/securing-your-windows-dedicated-server