May 26th, 2004, 02:44 PM
|
#1 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: White Rock, Canada
Posts: 2,238
| Help! Server being attacked!
One of my servers is constantly being attacked though so far, I can't see that they are getting in. They are trying all the default user names that M$ would have, I have none of those.
Looks like they are using a program, cause the rapid fire login attempts are insane. Here is where is gets interesting, one person has managed to get the correct user names and keeps locking the accounts since I have fairly tough rules on incorrect user name/pwd.
Question is: How did they get the list of user names????  
| 
|  | |
May 26th, 2004, 02:48 PM
|
#2 (permalink)
| | Ultimate Member
Join Date: Oct 2001
Posts: 21,063
|
They're trying a brute force attempt... chances are they dont' have a list of user names just giong through a dictionary.
If you have a firewall block off the IP that is diogn the attack.
| 
| | |
May 26th, 2004, 03:07 PM
|
#3 (permalink)
| | addicted
Join Date: Oct 2001 Location: Ohio
Posts: 6,103
|
| |
| | |
May 26th, 2004, 03:10 PM
|
#4 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: Long Island, NY, USA
Posts: 4,646
|
You may want to configure a timeout on userIDs that, let's say, locks out the account for 20 minutes if there are three failed logins. This will considerably slow down a brute force attempt.
__________________
"Those who can make you believe absurdities can make you commit atrocities" - Voltaire
| |
| | |
May 26th, 2004, 03:15 PM
|
#5 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: Long Island, NY, USA
Posts: 4,646
|
Also, enable 'Interactive login: Do not display last users name.' (Administrative Tools, Security Settings ->Local policies-> Security options). This will prevent one from getting the user id already in the dialog box. | |
| | |
May 26th, 2004, 03:17 PM
|
#6 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: White Rock, Canada
Posts: 2,238
|
Actually, they are using something to get the specific user names cause we have very unique names, nothing in the dictionary..... | |
| | |
May 26th, 2004, 03:20 PM
|
#7 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: White Rock, Canada
Posts: 2,238
|
Yes, I have the lock out after 5 invalid pwd and locked for 30 minutes....
Once one is locked they move to the next user name until that is locked....  | |
| | |
May 26th, 2004, 03:22 PM
|
#8 (permalink)
| | addicted
Join Date: Oct 2001 Location: Ohio
Posts: 6,103
|
Is this happening over the Internet?
Is this via MS Share, Terminal Server, IIS, or ? | |
| | |
May 26th, 2004, 03:28 PM
|
#9 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: White Rock, Canada
Posts: 2,238
|
I believe terminal server at this point.... | |
| | |
May 26th, 2004, 03:33 PM
|
#10 (permalink)
| | Ultimate Member
Join Date: Oct 2001 Location: Long Island, NY, USA
Posts: 4,646
|
can you determine if it is inside you company's network or from the outside? | |
| | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | 
Posting Rules
| You may post new threads You may post replies You may not post attachments You may not edit your posts
HTML code is Off | | | |   Most Active Discussions  | | | | | Recent Discussions  | | | | | 
|
hardware
prices 
