Re: Hundreds of failed login attempts
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 30 Mar 2006 22:51:58 -0600
Also to add you don't mention your operating system which is very important
to do when posting a question as solutions differ depending on. If you are
using Windows 2003 with SP1 you can use the Security Configuration Wizard to
help lockdown your server properly based on role and needed access level.
For any NT type operating system you can use MBSA to check for basic
security vulnerabilities including needed security updates and other
vulnerabilities such as lot having implemented IIS Lockdown/URLScan on
Windows 2000/IIS5.0. The links below provide more details. --- Steve
http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx
--- Windows 2003 Security Wizard
http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
http://www.microsoft.com/technet/security/prodtech/default.mspx ---
TechNet Security link for products and technology
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:u6F5GmHVGHA.6048@xxxxxxxxxxxxxxxxxxxxxxx
It could be a hack attempt or the administrator account has wrong
credentials and is trying to access the server for some legitimate
purpose, fails, and keeps retrying. Check the logon events for the source
computer and if it is on your network you need to see what is going on. If
it is from outside your network it probably is a hack attempt and you
should check your firewall logs to see if it is from the same source IP
and block that IP in your firewall. Also make sure the server has no
unneeded services installed or available to the internet such as file and
print sharing possibly. You can go to a self scan site such as
http://scan.sygatetech.com/ to do some basic firewall scans. The link
below can help track down account lockout issues/logon failures. ---
Steve
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
"Selden" <seldenm@xxxxxxx> wrote in message
news:npmdnXT3S-7rgrHZRVn-ig@xxxxxxxxxxxxxxx
I'm seeing hundreds of failed login attempts for "administrator" on one
of my web servers.
The administrator account has a limit of 20 attempts, then a lockout for
30 minutes.
But the security event log shows these events occurring about 10 per
minute for hours at a time, with no break.
I'm pretty new to server administration, and I'm not sure what else to do
to limit these attempts.
Any suggestions would REALLY be appreciated!
---Selden McCabe
.
- References:
- Hundreds of failed login attempts
- From: Selden
- Re: Hundreds of failed login attempts
- From: Steven L Umbach
- Hundreds of failed login attempts
- Prev by Date: Re: Stop syncronization of ALL roaming profiles at logout
- Next by Date: prevent user from logging on to servers
- Previous by thread: Re: Hundreds of failed login attempts
- Next by thread: Stop syncronization of ALL roaming profiles at logout
- Index(es):
Relevant Pages
|
