I've been notcing ALOT of bruteforce attacks at a few of my sites showing up in the server log. So I've been looking into Firewall options. each site has about 10 to 15 machines on a dynamic business DSL package. I was wondering if I should just setup a *nix system as a firewall or should I go with an ff the self option?

If I do build it myself, I'm also considering throughing VPN services on it as well, good idea or bad?

If I had a small business I'd consider a nix firewall, I like endian for my home use, has some solid features. One other to look into is clark connect, suppose to have a lot of options, maybe something you'd like.

Well I like hardware firewalls for business. More robust and able to do screening at higher levels (with the good ones anyway), and can give much finer control over what traffic is allowed to go where.

Also VPN is a big consideration. With *nix based firewall you can only do a VPN from one device to another (and I believe they both need to be similiar *nix firewalls). With a true hardwar firewall you can allow site to site and remote VPN. Remote VPN allows users to connect from anywhere, very handy at times.

With *nix based firewall you can only do a VPN from one device to another (and I believe they both need to be similiar *nix firewalls). With a true hardwar firewall you can allow site to site and remote VPN. Remote VPN allows users to connect from anywhere, very handy at times.

I agree on hardware firewalls for business, Tier-1 brands for support purposes. However, many of the *nix router distros do have client VPN abilities. Easy to deploy OpenVPN, and various SSL VPN types.

However to the OPs question...what services to you have available on the public side that are being brute forced? I mean..no matter what you put in...if you have things secure..and you're seeing lots of attacks..well.."welcome to the internet". Viewing firewall lots can reveal a lot of stuff that happens out there.

FTP looks to be the major one getting hit on the server, everything's behind a Linksys router right now, but the logs on the server fill up about every other week or so with failed logins. I'm considering the firewall so that I can at least get an idea where the attack is comeing from, the server logs just don't give me nough information

Where can I get Endian?

Endian and clark:

http://www.endian.it/en/community/download/iso/

http://www.clarkconnect.com/downloads/

What are you running for FTP software? And what's it used for?

as far as I know, FTP is disabled, there's no use for it ANYWHERE in the company.

OK...what logs were giving you this?
What is open/forwarded as far as ports on the router? Or in other words...what services are made public through NAT?

The System log in Event Viewer PAGES and PAGES of failed logins to FTP but since it's disabled, the consultant they used before I was hired said not to worry about it...I don't like that idea...if I'm getting constant hits from the place place, I'd like to have the evience on hand to get the crap stopped...

As far as open ports, the only one that should be open is for the wireless paging system they use, not sure what port number though since I don't work on fridays...

If event viewer is showing this...your server is exposed somehow. Uhm...I'd want to know exactly what ports are open/forwarded on the fireawall...or worse..if someone DMZ'd the server. :eek:

Yeah if you are seeing failed login attempts on the server it might be open to the outside. But it might also be someone from the inside, I wouldn't totally eliminate thate possiblity either. Since you say everything is supposed to be behind the firewall and all you are seeing is a failed login/connection attempt you have no real way to tell.

Also the whole connected to the internet thing is a very good point. I monitor logs of a PIX firewall setup at one location I do work for. It will log hundreds of what could be seen as attempted attacks a day. We are talking pings and port scans. But all it will tell you is that IP x is pinging you or attempting access to port whatever, and it was denied. This inofrmation is basically useless as it is part of being connected to the public internet. It doesn't matter that some random person tried to ping or port scan your network. It matters that you have it secured properly so that is all that will happen.

So really a firewwall will just give you more logs to look at. And more than likely if you have a publically accesible service then you will always see someone attempting to break it. Best solution is to really maae sure everything is hidden behind NAT, especially if you have no need for a publically accessible server.

at the site right now...server was set to the DMZ...

the server should NOT be open to the outside and after looking closer, they weretrying to access IIS which wasn't even supposed to be configured. I shut that off and removed the server from the DMZ and forworded ONLY the ports they need, so hopefully it stops the log files from filling up...

at the site right now...server was set to the DMZ...

Heh..err...."Whoa" :eek:

Whelp..there we go..I was hinting at that above...

We took over a law firm as a client years ago at a place I worked at. The office network was originally setup by Gateway2000 network techs. Windows NT 4 server with Exchange 5.5 on it...and they DMZ'd it outside of a little Linksys router.

Needless to say..the Exchange server was hijacked and spewing out porn spam like Niagara Falls.

Sticking a PC into the DMZ is suicide for the PC. I'd want to format it if it was in the DMZ for more than 5 minutes. Naturally this being a server...you probably don't want to do that..but seriously...seriously...I'd consider that server compromised. I'd do some serious microscope work on that machine...slap a good 2-way firewall on it to check for any unwanted outbound...scrub it with 1/2 dozen different antivirus programs and malware scanners, etc etc.