how to block intruder attack

From: Asanga (asanga@idnw.com)
Date: 08/12/02


From: "Asanga" <asanga@idnw.com>
Date: Mon, 12 Aug 2002 08:31:12 -0700


I see on my security logs - login failed from workstation
that we don't recognize. How do I capture their IP and
block them from intruding the server further. Below is an
example from security log:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 8/11/2002
Time: 2:35:58 PM
User: NT AUTHORITY\SYSTEM
Computer: SMSWEBSVR
Description:
Logon Failure:
         Reason: Unknown user name or bad password
         User Name: TRAVELMEDIA
         Domain: WG47
         Logon Type: 3
         Logon Process: NtLmSsp
         Authentication Package:
        MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
         Workstation Name: \\SABRENET



Relevant Pages

  • re: Brute-force and IIS/w2k logs
    ... > I've just reviewed a short range of security logs on ... > invalid login attempts. ... > way to capture the IP address of the source? ... Do you Yahoo!? ...
    (Security-Basics)
  • Re: Cannot browse to a domain controller across windows domains
    ... There are no security audit entrys success ... > or failure in the security logs when I try to log on...as though the ... > workstation which I am trying to browse the DC with has never contacted ... > to the domain controller of the outside domain. ...
    (microsoft.public.windows.server.networking)
  • Re: Auditing Account Logons
    ... I'm seeing it in the security logs when logged directly on to the DC via ... remote desktop from a workstation. ... >> I need to audit when a user logs on to the domain from a workstation. ... >> workstation they are logging in from. ...
    (microsoft.public.windows.server.security)
  • Re: Why are my workstations changing their passwords?
    ... I'm seeing a burst of about 40 of the same messages for a single workstation ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... that I've spent a lot of time analyzing the security logs, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Auditing Account Logons
    ... Are you seeing this when viewing the security logs while logged ... > I need to audit when a user logs on to the domain from a workstation. ... > Domain Controller policy, I enabled "Audit Account Logon Events ...
    (microsoft.public.windows.server.security)