Increase in frequency of security alerts on servers from hackers trying brute force password programs

Over the past few months I have seen a noticeable increase in the number of servers that I look after that have alerts raised due to large number of Hacker Attempts trying to pass Usernames and Passwords to the server in the vague hope of eventually finding a combination that actually works.

Once a combination of Username and Password is successfully found, the server will invariably be used to send out vast amounts of spam, which will ultimately result in the innocent victim having problems sending mail because the fixed IP Address that they have will be listed on one or more Blacklist websites.

One such server that I was called to that had suffered from such an attack had been sent about 380,000 spam emails to send out in a very short space of time. Identifying the problem account and cleaning up the mess caused can be a tricky process, but with the right information to hand, an understanding of why this has happened and the optional use of software such as Vamsoft ORF which has excellent logging capabilities, the problem can quickly and easily be identified, the account being used either disabled or the password changed and the SMTP service restarted.

What can you do to prevent such an attack from hitting your server?

Well, there are several preventative measures that you can take to reduce the risk:

1. Configure Passwords to be complex (to include Uppercase letters, Lowercase letters, Numbers and Special Characters e.g., !”£$%^&*()_+}{][#’@~?></.,)
2. Make sure passwords have a minimum length – the longer the better but at least 7 or 8 characters as a minimum.
3. Force passwords to be changed regularly (at least every 30 – 60 days)
4. Enable account lockouts after a low number of invalid login attempts (between 3 and 5 invalid attempts). Make sure the accounts are locked out for approx 15 minutes to slow down the hacker.
5. Make sure your firewall is configured to only allow the protocols that you need allowed through and close off any others that are not needed.
6. Regularly review your firewall settings to verify the open ports are needed.
7. Make sure your firewall logs all access to your systems so that you can track down the source IP Address that requests are coming from. The logs will be invaluable in determining the source of multiple login attempts.
8. When the firewall logs get full, make sure you have them emailed to you and keep them in a safe place.
9. Setup alerts for the Security Log and make sure you get notified of multiple invalid login attempts. The sooner you act, the less chance the hackers have to probe your security, usernames and passwords.
10. Make sure you don't have an account called Administrator on your server that is active. If you do, create a new Server Admin account, copying the Administrator account and then disable the Administrator account – it is an obvious target account and hackers will try this account almost every time.
11. Regularly review your user accounts and make sure you either disable or delete ones that are no longer needed.
12. Make sue that all your server user accounts are easily located in Active Directory, ideally in a single OU, so that you don't have to hunt around for accounts and thus can easily overlook and account that is located in an obscure OU that you never look at.

If you currently don't implement any form of password security, you may meet stiff resistance from staff to enforcing the above changes to passwords, but the first time you are hacked and suffer problems sending mail as a result of being hacked in this way, your users might actually understand why these settings are needed.

If you implement some or all of the above, you should limit the possibilites of being hacked and used as a spammers relay to spew forth their rubbish. If you don't – then you can't say I didn't warn you : )