Re: How do I tell if an attack is from an internal or external source

From: Steve Clark [MSFT] (
Date: 03/30/05

Date: Wed, 30 Mar 2005 11:40:08 -0800

Not to nitpick, but you need IP Protocol 47 (GRE) and TCP port 1723 (PPTP

As with IPsec, IP protocols and TCP/UDP ports are not the same thing.
Again, I am not trying to slam anyone, but this understanding is necessary
since folks that might not be network professionals that have # access on a
router will think they're configuring the router correctly, and then it
doesn't work...

Cisco has good documents on enabling GRE and AH/ESP support on their
devices. I recommend reading their website for more details on how this is
done with their hardware (or consulting the site of the particular hardware
mfr. of the router you use).

"Tom Celica" <> wrote in message
> Eliminate the Virus / Trojan Question: You should be running Anti-Virus
> Software on your VPN. If you are not, then you can run a free file system
> scan on th Symantec web site.
> Also I have had good success using the Microsoft Anti-spyware tool to get
> rid of trojans. This can be downloaded from and select
> anti-spyware from the downloads section
> Also look at what ports are open on your VPN, Only Specific ports needed
> for VPN traffic should be open to the internet. Your VPN needs ports 1723
> and 47 open to the internet for VPN traffic. Run a security check from
> your VPN box to determine which ports are open to the internet.
> used to offer a security check but there are others out
> there that will tell you what ports are open to the internet from your vpn
> box.
> Now if you have eliminated all the normal candidates for intrusion, You
> don't have a virus, no trojan is running on your box and no un-needed
> ports are open to the internet. You can increase the fields captured in
> your log files on your VPN and you should be able to get the IP address
> the failed logon attempts are coming from. With that IP you can find out
> if the failed logon attempts are coming from an internal IP or an External
> IP.
> Good Luck
> -tom
> "Steve Everington" <> wrote in message
> news:eSqnaASNFHA.576@TK2MSFTNGP15.phx.gbl...
>> Hello
>> I have been getting a series of (a few hundred) failed login attempts in
>> the early hours of the morning (a series of 529 & 681 login failure
>> security events). The 529 entry has a login in type of 3, which I
>> believe is a network login and the workstation name is the server's name.
>> Is there a way of telling whether the events are being caused by
>> attempted logins on my VPN or by a trojan/virus running on my server or
>> some other source?
>> Thanks
>> Steve Everington

Relevant Pages

  • Re: NetGear FVS124G
    ... Manageable DUAL WAN VPN Firewall with Gigabit LAN Ports ... support, and up to 25 IPSec VPN tunnels assures safe network computing. ...
  • Re: Connecting to remote drives
    ... Networking, Internet, Routing, VPN Troubleshooting on ... > with any other services or ports except for this one. ...
  • Re: Maybe OT - Home Network issue
    ... a security problem in the web camera, ... ports - some do. ... lacks sufficient CPU power to run more than one VPN tunnel at a time. ... OpenVPN) and then your packets will route properly into your home network. ...
  • RE: PPTP remote access ports dissapear - HELP PLEASE!
    ... ports disappear from the RRAS console. ... Based on my research, SBS have wizard to configure the VPN, we do not need ... Please open Routing and Remote Access console on SBS thru run command ... You have to rerun the CEICW to make sure your SBS 2003 server have right ...
  • Re: Internet, DNS, MX
    ... you have a router or firewall, you may need to forward the ports. ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ...