Re: Logon failures filling the event log
- From: the_nextman <richard.markiewicz@xxxxxxxxxxxx>
- Date: Wed, 22 Aug 2007 13:02:20 -0000
On 21 Aug, 17:45, Freaky <wont...@xxxxxxxxxx> wrote:
- Small Business Server default web site (Remote Web Workplace?),
Exchange web interface and CompanyWeb all require SSL and 128 bits.
- We also have MS CRM web interface running. No SSL but it only uses
Windows Integrated.
That's ok. It's probably a brute-force attack. Given enought time these
usually succeed, but most bounce off after a while as there are simply
easier targets.
I would really appreciate any advice you might have or any comments.
It is gratifying that this person/bot/virus doesn't seem to be getting
access but still makes me quite nervous.
And it should :), it means you're thinking about security and that's a
good thing.
Also, does it mean anything that the source address/port aren't
getting caught? Usually when my users get their password wrong, it
traps the source IP address. Could this indicate the attack is from
within the server (like a worm or virus?) or is this information
easily hidden?
The authentication as seen from the authentication service comes from
IIS that tries to authenticate a remote client. Therefore it's local.
Unfortunately I know very little about IIS. There might be something in
IIS's logs tho'. What is mainly interesting is if the attacks come from
one or a coupe IP(s), that usually means someone is eager to get in. If
it are tons of different IPs it usually just means there's some
virus/worm going wild.
My experience of IIS 6 is that it is very secure - we also run a
server farm (Windows 2003 standard, IIS6) hosting SSL secured, NTLM
Sharepoint portals and never see this kind of thing going on.
Common usernames, easy passwords etc. will always be prone to brute
forcing. You can however usually enforce rate limits and such (as in IP
x can only try to authenticate 5 times in a minute, if it fails 5 times
in a minute ignore it for 5 hours, or something similar). But again,
very little knowledge of IIS :)
If I have nothing to worry about that's fine, but I don't really see
what I can do to stop this. I don't want to disregard the security
warnings. As I said, any comment or advice is very much appreciated.
If you open ports to the internet, especially common services like
HTTP(S) you always see attacks coming by. Usually it's nothing (if you
are properly patched and such) but it's good to stay weary.
Thanks very much for the advice.
Very much appreciated.
- Richard
.
- References:
- Logon failures filling the event log
- From: the_nextman
- Re: Logon failures filling the event log
- From: Freaky
- Re: Logon failures filling the event log
- From: the_nextman
- Re: Logon failures filling the event log
- From: Freaky
- Logon failures filling the event log
- Prev by Date: Re: DNS Configuration error
- Next by Date: Re: SBS R2 ISA2004 Dark Arts
- Previous by thread: Re: Logon failures filling the event log
- Next by thread: Re: Monitoring RWW logins
- Index(es):
Relevant Pages
|
