Re: Attempt Attack
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/10/05
- Next message: Gfry: "Group Policy / group policy management console"
- Previous message: Reyman: "Attempt Attack"
- In reply to: Reyman: "Attempt Attack"
- Next in thread: Reyman: "Re: Attempt Attack"
- Reply: Reyman: "Re: Attempt Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 10 Jun 2005 10:27:37 -0500
You would need to check the firewall logs for IP addresses using the port of
the service they are trying to logon to that match the time of the logon
failures. Of course for this to work well the times of the firewall and the
computer/domain controller will need to be in synch. I would think your
proxy has some logging capability as it may be your firewall. Software
firewalls [Sygate for example] or software IDS will usually be able to
record the IP addresses but then you would have to install more software on
your proxy server. You can also use netmon to monitor traffic on the
external adapter but that will probably necessitate that you capture a lot
of traffic unless these attempts are very time specific and that can be
very tedious.
Failed logon attempts are not unusual and if you are enforcing strong
passwords then the risk is minimal unless they are trying to mount a denial
of service attack. I would also make sure that file and print sharing and
netbios over tcp/ip are disabled on the external adapter of the proxy
connected directly to the internet. Depending on what you are offering to
internet clients [remote users, etc] you may want to look at the possibility
of using VPN using l2tp for access. Since you are using proxy it will need
to be NAT-T compliant however as would the l2tp VPN clients [no problem for
Windows since W98 with the NAT-T client installed] . L2tp requires the use
of computer certificates so that computers can authenticate before the user
is allowed to try and logon. --- Steve
"Reyman" <reystuff@gmail.com> wrote in message
news:1118412801.138644.273300@g44g2000cwa.googlegroups.com...
>I have a windows 2000 machines we use as a proxy server that sits in
> the DMZ. For a while, I have been noticing computers from domains
> unreachable by me trying to login to the machine using an account that
> is disabled. Before they find and and attempt to use an active
> account, is there a way for us to find out the IP of the computers that
> are attempting this attack? Any software we can install on this machie
> that would block attempts like this?
>
> Thanks.
>
- Next message: Gfry: "Group Policy / group policy management console"
- Previous message: Reyman: "Attempt Attack"
- In reply to: Reyman: "Attempt Attack"
- Next in thread: Reyman: "Re: Attempt Attack"
- Reply: Reyman: "Re: Attempt Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
