Jump to content

Recommended Posts

Posted

Hi. I am a newbie here with ESMC and Eset. I have eset installed on MS Exchange and lately I have been getting messages about incoming attack. My question is, what do I do when it has been detected. What do you recommend as a general practice? The messages I have been getting are attached in screenshots. Thank you in advance for any guidance. 

 

Screen Shot 2020-03-23 at 2.09.33 PM.png

Screen Shot 2020-03-23 at 2.17.20 PM.png

  • Administrators
Posted

The two screen shots are unrelated. While the upper one shows bruteforce attacks against the server which were blocked, the other screen shot shows a threat detection in an email scanned by ESET for MS Exchange.

I'd recommend putting the Exchange server behind a firewall and creating rules so that only the desired communication is allowed and bruteforce attacks are blocked by the firewall.

Posted

Thank you for the advice. The exchange is behind a firewall, zywall. The attacks happen on ports essentials for exchange traffic, 25, 80, 443. 

As far as the email scanner goes... is it just informative message that Eset is doing its job? Do I do anything with that?

  • Most Valued Members
Posted
6 minutes ago, durimrkva said:

Thank you for the advice. The exchange is behind a firewall, zywall. The attacks happen on ports essentials for exchange traffic, 25, 80, 443. 

As far as the email scanner goes... is it just informative message that Eset is doing its job? Do I do anything with that?

As per the screenshots , the second one says that the email has been filtered and the threat is removed , so you don't need do any kind of actions

And for the ports if you can't filter them out then you need to do something else , like hardening the server so intruders won't get in somehow someday , like a very good password , to keep the server updated for vulnerabilities , etc

I believe there are some hardening guides for Exchange in Google that could help with this situation.

  • Administrators
Posted

You can block the IP addresses from which the attack attempts originated on the firewall, however, there can be further attack attempts from other IP addresses in the future. ESET will continue to block these attempts, however, if there are too many of them the network protection log may grow quickly.

Posted

That`s what I attemted to do, but didn`t find a reasonable way to keep adding these IP addresses into a group on zywall that would have an automatic rule to block connection. I need to look into zywall manual. 

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...