durimrkva 0 Posted March 23, 2020 Posted March 23, 2020 Hi. I am a newbie here with ESMC and Eset. I have eset installed on MS Exchange and lately I have been getting messages about incoming attack. My question is, what do I do when it has been detected. What do you recommend as a general practice? The messages I have been getting are attached in screenshots. Thank you in advance for any guidance.
Administrators Marcos 5,468 Posted March 23, 2020 Administrators Posted March 23, 2020 The two screen shots are unrelated. While the upper one shows bruteforce attacks against the server which were blocked, the other screen shot shows a threat detection in an email scanned by ESET for MS Exchange. I'd recommend putting the Exchange server behind a firewall and creating rules so that only the desired communication is allowed and bruteforce attacks are blocked by the firewall.
durimrkva 0 Posted March 24, 2020 Author Posted March 24, 2020 Thank you for the advice. The exchange is behind a firewall, zywall. The attacks happen on ports essentials for exchange traffic, 25, 80, 443. As far as the email scanner goes... is it just informative message that Eset is doing its job? Do I do anything with that?
Most Valued Members Nightowl 206 Posted March 24, 2020 Most Valued Members Posted March 24, 2020 6 minutes ago, durimrkva said: Thank you for the advice. The exchange is behind a firewall, zywall. The attacks happen on ports essentials for exchange traffic, 25, 80, 443. As far as the email scanner goes... is it just informative message that Eset is doing its job? Do I do anything with that? As per the screenshots , the second one says that the email has been filtered and the threat is removed , so you don't need do any kind of actions And for the ports if you can't filter them out then you need to do something else , like hardening the server so intruders won't get in somehow someday , like a very good password , to keep the server updated for vulnerabilities , etc I believe there are some hardening guides for Exchange in Google that could help with this situation.
durimrkva 0 Posted March 24, 2020 Author Posted March 24, 2020 Great. Thank you again. I will look into that.
Administrators Marcos 5,468 Posted March 24, 2020 Administrators Posted March 24, 2020 You can block the IP addresses from which the attack attempts originated on the firewall, however, there can be further attack attempts from other IP addresses in the future. ESET will continue to block these attempts, however, if there are too many of them the network protection log may grow quickly.
durimrkva 0 Posted March 24, 2020 Author Posted March 24, 2020 That`s what I attemted to do, but didn`t find a reasonable way to keep adding these IP addresses into a group on zywall that would have an automatic rule to block connection. I need to look into zywall manual.
Recommended Posts