Network Access Control

Small Doctor's office running Windows 2003 on their Server behind a Linksys WRT54G wireless router.

Since I started logging all the events on pcAnywhere on Oct. 22nd of this year, there has been a sustained dictionary attack against the open Host of pcAnywhere.  Attack frequency is anywhere from 5 times a minute to 5 times an hour, with periodic breaks of 1 or 2 hours.  Usernames entered are sometimes alphabetical, sometimes not.  Usernames entered are generic, such as "workstation", "user", "admin", personal pronouns, and business related such as "kfc".

I've increased the password security to 9 digit, alpha, numeric and special characters, and I'm confident that this will delay the hack for centuries, but the client is aware of it's ongoing nature, as am I, and then there is also the principal of the thing.  I'm more of an onsite Tech, less of a Security person, so I know a lot about some things, and nothing at all about others.  And I have questions.

1)  Is there something critical that I need to do, as in RIGHT NOW?

2)  Is there a way to find out what IP(s) are initiating the attack?

3)  Is there a way to report the attack, assuming that it is coming from a single IP, or IP block?

4)  Is there something about pcAnywhere that "invited" this attack, such as a response to a particular "ping", i.e. attacker pings "Is pcAnywhere installed at this IP address", and pcAnywhere responds "Yes".  If so, can this be turned off?  Or is this required to make the software available for connection to "friendly" computers?  (I assume choice "B", but am asking anyways.)
 

5)  I understand the WRT54G will not allow blocking of undesired IP Addresses, but is there a way to do this from pcAnywhere?  Will a 3rd part firewall guarantee that the attacker can never connect?  We could whitelist 5 or less IP Address and exclude everyone else and be just fine.  Zone Alarm used to be "the" software firewall to get, years ago.  Is it still considered heavy-duty?  Will it exclude connections based on IP Address?

6)  And any other questions I should have asked, but did not.

 

Run Wireshark on the server, that will tell you everything that you need to know about what IP traffic is coming too and from the server.  Also check the firewall on your router, that sounds like it needs tightening up

Thanks Alex.

I installed & figured out how to use WireShark well enough to deterimine the IP Address of the inbound hack attempts (which continue).  Also have determined that (today at least) the hack attempts are coming from a single, Icelandic IP Address.  There should be no one in Iceland attempting to access the pcAnywhere Host on the Server.

IP Address is: 82.221.103.170  (I tried to hide this behind <code> tags, but could not.)

What do I do next?
 

Did you block that IP at your firewall?

Did you block that IP at your firewall?

The short answer is "no".

The Server is running Windows Server 2003 and has only the native firewall and the Linksys WRT54G.  I can find no way to block an inbound IP address within either of these.  How serious is this attack?  I estimate approxiamately 100 to 1000 attempts per day vs. a 9 character alpha, numeric and special character password.  Is it serious enough to warrant replacing the router or installing something like Zone Alarm?

Is there a way to report the IP address?

I don't believe there is much you can do on the linksys but you should be able to block using the windows fw

http://www.ehow.com/how_6828963_block-ip-address-windows-firewall.html

The attack can be serious if you have an easy to guess password or can be found in a dictionary (hence the name of the attack). They simply input a hige text file with every word known to man and have at it.

If you have a complex password such dH7@9^bq! than it is highly unlikely they will be successful and it is unwanted traffic on your part.

If you replace the router, I would go with something like an ASA 5505 which you can even find used for around $200. You will get much better control over your network with a hardware firewall.

Thanks Brian, I appreciate the tip on the Router.   I've shopped for them before and the wide price variation made my head spin.  Good to know I can get something that is at least "adequate" for @$200.  The password is as you described, i.e. "8d$lep9(g".

I've read about some security vulnerabilities with pcAnywhere.  Have all of these been patched?  The software is fully updated and Windows Update is also fully updated.

You can see all the patches here:

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120124_00

Since you're updated, the likelihood is a lot smaller of something being exploited.