Hello,

For the second day in a row my WIN2000 Server system log file is full of warnings like this:
--------------------
MSFTPSVC
The server was unable to logon the Windows NT account 'blablabla' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.
---------------------
Apperantly someone trying to log in to the FTP. Due to the accounts that they are trying I suspect this is the work of a hacker.
What measures could I take? Any hints or tips?
I just enabled the FTP log of IIS to gather more info.
Could you recommend software that could be usefull in situations like this. For example That help identify problems.
Do you know of a way to make it inpossbile to try to log in more that 100 times a day to an account?

Any hints, thoughts or links to usefull resources on this issue are more then welcome.


Rob Siera

---
Do you know of a way to make it inpossbile to try to log in more that 100 times a day to an account?
---

dont do that otherwise somebody could attempt 100 times every day and DoS the service on the box.

Originally posted by xtstrike
---
don't do that otherwise somebody could attempt 100 times every day and DoS the service on the box.

I understand what you mean but I was thinking of a 100 times per IP address per day.

Originally posted by rsiera


I understand what you mean but I was thinking of a 100 times per IP address per day.

Someone could easily come up with a list of 500 IP's :)

Monitor the IP of the attacker -- if they are on a static connection you can use the Deny features of the FTP server to lock him out.

If they are on a dynamic IP but are restricted to a particular subnet, block out that range of IPs -- provided of course other users are not on the same subnet. You can often remove this restriction once the script-kiddie goes on to another target.

Also enable W3C extended logging to collect more info.


Once you have some info. send an email to the abuse dept. at the attacker's ISP. Send them the relevant log files and a compliant letter. Some ISPs respond -- some don't.


Also, make sure there are not any default accounts or accounts with weak passwords.

If your users connect from a range of IPs, e.g. in an intranet situation, you could only allow them to connect.

Also, in the message box, post a warning regarding unauthorized access. This is important for legal reasons. All computers should have these types of notices -- though they do not do anything for you in court, the excuse, "I did not know the system was private." cannot be used. Also, this notifies your legitimate users about certain privacy issues.

I use the following:

****************************************************
NOTICE TO USERS


This computer system is for authorized use only. Users (authorized or
unauthorized) have no explicit or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and disclosed to
authorized site and law enforcement personnel.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the discretion of
authorized site.

Unauthorized or improper use of this system may result in administrative
disciplinary action and civil and criminal penalties. By continuing to use
this system you indicate your awareness of and consent to these terms and
conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions
stated in this warning.
***********************************************

I can't say that I know much about Windows 2k as a server (BSD Baby!), but those login names look like they might be a potential exploit. I'd search Microsoft's knowledge base and Google using the attempted login name as a search term.

If you are scared that it is an exploit of a Windows vunerability, try checking with WindowsUpdate to make sure that you have all the Security Patches and stuff (and there are a lot of them - heh).