Best protection for servers?

Hey guys,

just some minutes ago I had a hacking attack against a user who is using my teamspeakserver.
Well, the hacker used (I think so) a brute force program, so now I need your help:
What are the best settings for the firewall? Does the firewall block such attacks?

Please answer as fast as possible and please excuse me for my English, I’m German :slight_smile:

/edit:
OS: WinVista
CIS: Newest one
Router: Yes (Blocking all ports which haven’t been forwarded)

Regards,
Stefan

Hello Stefan,

It depends on what he/she’s attacking, is it directed against the teamspeak application ?
If you know his source ip address you could block him from getting access to the port the teamspeak server uses, create a global rule that you can put above the global rule that allows the incoming traffic to teamspeak.

I have banned one hostname of one hacker, but the other one uses a proxy …
Can I configure the firewall that hacking attacks are blocked or avoided?

I already set the packets from 20 to 12, but I don’t know if that helps against hacking attacks …

Regards,
Stefan

Probably not, the attacks don’t have to have a high packet rate, it could be sending one attack a minute.
I’m afraid the attack detection settings are not going to help here.

What’s the downside of blocking that proxy ?

I think it isn’t 1 attack per minute, because the best known program is Hydra and this is a typical brute force program and this is attacking 10 times per second :-/

And the downside of the proxy is, that I can’t initiate legal steps and / or block the hostname with the firewall, because the complicit has beend blocked, because he didn’t use a proxy, but I can’t resolve the IP adress into a DNS adress (hostname) of the hacker who did the brute forcing attack :frowning:

But the firewall with this configuration can fend off DoS attacks or not?

Best regards,
Mythos

Well i’ve got my doubts if it will in this case, this is not a DOS against the machine this is just a brute force attack against the teamspeak service, i don’t think this will trigger the attack engine, but I’m not 100% sure on this…

For the blocking you can also block people based on IP source, not only on hostname.

Is it a rogue proxy server then ? or is there anyway to contact the proxy’s administrator with this ?