Re: Masses of 529 Errors!
- From: "fiftysixkilo@xxxxxxxxx" <fiftysixkilo@xxxxxxxxx>
- Date: 12 May 2007 06:15:20 -0700
On May 12, 12:01 am, "Bill Glidden" <billyg1...@xxxxxxxxxxx> wrote:
Thanks again, Svyatoslav.
I posted here because it looked like a security issue to me. I will have a
look at snort.
Cheers,
Bill
"S. Pidgorny <MVP>" <slavi...@xxxxxxxxx> wrote in messagenews:%230E7hfElHHA.4960@xxxxxxxxxxxxxxxxxxxxxxx
I would analyse traffic coming through the Internet to see if there is a
correlation b/ween connection attempts and the failed logon attempt. I
would also consider implementing a network intrusion detection system (like
Snort -www.snort.org- it's free and runs on Windows) for such monitoring.
Also please post the question to SBS newsgroups.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
*http://sl.mvps.org*http://msmvps.com/blogs/sp*
"Bill Glidden" <billyg1...@xxxxxxxxxxx> wrote in message
news:e8c5btDlHHA.4592@xxxxxxxxxxxxxxxxxxxxxxx
Thanks, Svyatoslav.
I am running SBS 2K3 with ISA 2004 behind a firewall/router:
Internet -- router -- SBS/ISA -- local LAN
What can I do about this, please?
Cheers,
Bill
"S. Pidgorny <MVP>" <slavi...@xxxxxxxxx> wrote in message
news:O9KKrcDlHHA.596@xxxxxxxxxxxxxxxxxxxxxxx
Splash in a botnets activity?
The access is denied, which is a good thing. Filling up the logs is
something to worry about.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
*http://sl.mvps.org*http://msmvps.com/blogs/sp*
"Bill Glidden" <billyg1...@xxxxxxxxxxx> wrote in message
news:%23%23a1PiClHHA.4628@xxxxxxxxxxxxxxxxxxxxxxx
I have often seen these errors in the security log at the rate of up to
hundreds in a 24 hour period, but in the last 24 hours I had 107,710 of
them. Is this something I should be worrying about? Obviously the fact
that I know about it means that who/whatever is doing this is
unsuccessful. Below is pasted one of the events:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/05/2007
Time: 10:20:37 PM
User: NT AUTHORITY\SYSTEM
Computer: <my sbs server>
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: anonymous
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <my sbs server>
User Name: <my sbs server>
Caller Domain: <my domain>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1216
Transited Services: -
Source Network Address: -
Source Port: -
Advice most welcome, please.
Bill- Hide quoted text -
- Show quoted text -
First make sure your router/firewall appliance is blocking ports 88tcp
and 445udp from outside your lan. Then what I do is timed account
lockouts.
I set the lockout to 3-5 attempts and then lock the account for
30secs. You can leave the default which will lockout the user until
an AD admin unlocks them but that's a easy way for someone to DOS your
accounts. It really sucks when they manage to lockout an admin
account.
.
- References:
- Masses of 529 Errors!
- From: Bill Glidden
- Re: Masses of 529 Errors!
- From: Bill Glidden
- Re: Masses of 529 Errors!
- From: Bill Glidden
- Masses of 529 Errors!
- Prev by Date: Cost Effective Privacy Solutions
- Next by Date: Re: Windows Firewall/Norton IS removal
- Previous by thread: Re: Masses of 529 Errors!
- Next by thread: Re: Masses of 529 Errors!
- Index(es):
Relevant Pages
|
