Hi, I am getting multiple login failures on my sbs 2003 server event
logs. I have seen similar questions asked before but no solution as to
how to block an ip address after eg 3 login failures within 10 secs. Is
there a way to do this?
The Login failures I am currently getting look like:-
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator <or admin, etc>
Domain: XXXXXX
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: XXXSERVER
Caller User Name: XXXSERVER$
Caller Domain: XXXXXX
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 9044
Transited Services: -
Source Network Address: <IP address>
Source Port: 3979

Hi User:

Can't tell from your post if all of that comes from your internal domain or
from outside. Can you explain?

If from inside, we have some work to do to find out what is going on. If
from outside your network, you could stop them at the edge device with a
firewall that allows you to key in the range of IP addresses where most of
this starts.

Other than that, *strong* passwords are your best defense.

--
Larry
Please post the resolution to your
issue so that others may benefit.

Get a Health Check for SBS at:
www.sbsbpa.com


<user@newsgroup> wrote in message
news:O5c%23P8hFKHA.4932@newsgroup

> Hi, I am getting multiple login failures on my sbs 2003 server event logs.
> I have seen similar questions asked before but no solution as to how to
> block an ip address after eg 3 login failures within 10 secs. Is there a
> way to do this?
> The Login failures I am currently getting look like:-
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: administrator <or admin, etc>
> Domain: XXXXXX
> Logon Type: 10
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: XXXSERVER
> Caller User Name: XXXSERVER$
> Caller Domain: XXXXXX
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 9044
> Transited Services: -
> Source Network Address: <IP address>
> Source Port: 3979

Hi Larry,
It is almost certainly from outside. I think Login Type 10 is Remote
access. So there is no policy setting to block a login automatically eg
to block the IP for N minutes if X login failures within Y seconds?
Thanks, Ed

On 6/08/2009 8:57 AM, Larry Struckmeyer [SBS-MVP] wrote:

> Hi User:
>
> Can't tell from your post if all of that comes from your internal domain
> or from outside. Can you explain?
>
> If from inside, we have some work to do to find out what is going on. If
> from outside your network, you could stop them at the edge device with a
> firewall that allows you to key in the range of IP addresses where most
> of this starts.
>
> Other than that, *strong* passwords are your best defense.
>

Yes, but so it a TS logon, which could originate inside your LAN. Not
likely in great numbers, but still could. I think these are probes looking
for an easy way in, and they come and go in most networks. In some cases
they may be industrial spies, or maybe the teen ager next door.

The usually, but not always, originate in the countries you would associate
with criminal Internet behavior and, to be repetitive, can be blocked at the
edge with a decent firewall. Heck, rumor has it that even some entry level
routers will allow you to set up block lists by ip address.

But, no there is no built in functionality that does what you are asking.
You can setup lockouts on all but *the* domain administrator account, but
still your best bet is really strong passwords.

--
Larry Struckmeyer
Get your SBS Health Check
at www.sbsbpa.com


<user@newsgroup> wrote in message
news:up%23LtEiFKHA.3948@newsgroup

> Hi Larry,
> It is almost certainly from outside. I think Login Type 10 is Remote
> access. So there is no policy setting to block a login automatically eg to
> block the IP for N minutes if X login failures within Y seconds?
> Thanks, Ed
>
> On 6/08/2009 8:57 AM, Larry Struckmeyer [SBS-MVP] wrote:

>> Hi User:
>>
>> Can't tell from your post if all of that comes from your internal domain
>> or from outside. Can you explain?
>>
>> If from inside, we have some work to do to find out what is going on. If
>> from outside your network, you could stop them at the edge device with a
>> firewall that allows you to key in the range of IP addresses where most
>> of this starts.
>>
>> Other than that, *strong* passwords are your best defense.
>>

>

Larry
OK, Thanks,
Ed
On 6/08/2009 10:51 AM, Larry Struckmeyer [SBS MVP] wrote:

> Yes, but so it a TS logon, which could originate inside your LAN. Not
> likely in great numbers, but still could. I think these are probes looking
> for an easy way in, and they come and go in most networks. In some cases
> they may be industrial spies, or maybe the teen ager next door.
>
> The usually, but not always, originate in the countries you would associate
> with criminal Internet behavior and, to be repetitive, can be blocked at the
> edge with a decent firewall. Heck, rumor has it that even some entry level
> routers will allow you to set up block lists by ip address.
>
> But, no there is no built in functionality that does what you are asking.
> You can setup lockouts on all but *the* domain administrator account, but
> still your best bet is really strong passwords.
>