Re: How do I tell if an attack is from an internal or external source

From: Steve Clark [MSFT] (bogus_at_microsoft.com)
Date: 03/30/05


Date: Wed, 30 Mar 2005 11:40:08 -0800

Not to nitpick, but you need IP Protocol 47 (GRE) and TCP port 1723 (PPTP
call/receive).

As with IPsec, IP protocols and TCP/UDP ports are not the same thing.
Again, I am not trying to slam anyone, but this understanding is necessary
since folks that might not be network professionals that have # access on a
router will think they're configuring the router correctly, and then it
doesn't work...

Cisco has good documents on enabling GRE and AH/ESP support on their
devices. I recommend reading their website for more details on how this is
done with their hardware (or consulting the site of the particular hardware
mfr. of the router you use).

"Tom Celica" <Tom@DontReply.net> wrote in message
news:p7B2e.8073$zl.5130@newssvr13.news.prodigy.com...
> Eliminate the Virus / Trojan Question: You should be running Anti-Virus
> Software on your VPN. If you are not, then you can run a free file system
> scan on th Symantec web site.
>
> Also I have had good success using the Microsoft Anti-spyware tool to get
> rid of trojans. This can be downloaded from www.microsoft.com and select
> anti-spyware from the downloads section
>
> Also look at what ports are open on your VPN, Only Specific ports needed
> for VPN traffic should be open to the internet. Your VPN needs ports 1723
> and 47 open to the internet for VPN traffic. Run a security check from
> your VPN box to determine which ports are open to the internet.
> www.netscreen.com used to offer a security check but there are others out
> there that will tell you what ports are open to the internet from your vpn
> box.
>
> Now if you have eliminated all the normal candidates for intrusion, You
> don't have a virus, no trojan is running on your box and no un-needed
> ports are open to the internet. You can increase the fields captured in
> your log files on your VPN and you should be able to get the IP address
> the failed logon attempts are coming from. With that IP you can find out
> if the failed logon attempts are coming from an internal IP or an External
> IP.
>
>
> Good Luck
> -tom
>
>
> "Steve Everington" <steve.nospam@pannellsigns.co.uk> wrote in message
> news:eSqnaASNFHA.576@TK2MSFTNGP15.phx.gbl...
>> Hello
>>
>> I have been getting a series of (a few hundred) failed login attempts in
>> the early hours of the morning (a series of 529 & 681 login failure
>> security events). The 529 entry has a login in type of 3, which I
>> believe is a network login and the workstation name is the server's name.
>>
>> Is there a way of telling whether the events are being caused by
>> attempted logins on my VPN or by a trojan/virus running on my server or
>> some other source?
>>
>> Thanks
>>
>> Steve Everington
>>
>
>