|
Posted by Roger Abell [MVP] on March 16, 2006, 8:52 am
Please log in for more thread options
You are being probed.
If you shut down access from external IPs except to the
required (tcp 80/443, etc) then you only need to guard
the few authentication methods available that are needed
for the web owners content management and if applicable
Windows account restricted browsing areas.
Those will still get probed.
When I have such probe pests, ones that are persistent,
I put their IP in a deny filter in IPsec rules, where I name
the filters by month and then occassionally delete the filters
from older months to let them out of banishment.
>I have a web server hosting various commercial websites. I was looking at
>the
> event log when I noticed several Security Failure Audits from a few
> different
> IP addresses and domains that look like this:
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: admin
> Domain: HIGGINS
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: HIGGINS
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: ***.***.***.***
> Source Port: 0
>
> and this:
>
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: admin
> Source Workstation: HIGGINS
> Error Code: 0xC0000064
>
> To me this looks like some people are trying guess the administrator
> username and password. What is the best practice way of dealing with this?
> The Administrator account has been renamed and there is no Guest account,
> what else can I do? Is it possible to block these IP addresses? Any
> suggestions would be appreciated.
| 
XML Sitemap