Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Intruder Lockout

Posted on 2004-08-24
29
Medium Priority
?
1,080 Views
Last Modified: 2011-09-20
The admin account keeps getting locked every 20 seconds. In Console One is last last address was 12 I thought this might be connection ID but I don't think so.
0
Comment
Question by:beacom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 5
  • +4
29 Comments
 
LVL 34

Accepted Solution

by:
PsiCop earned 256 total points
ID: 11886151
The last address will vary depending on if you're in a TCP/IP or IPX environment. You didn't bother to specify what VERSION of NetWare you have, but I would look at things like LDAP. If you run LDAP, something somewhere else on your network might be running rampant and making tons of LDAP calls, making the account lock repeatedly.

Try unloading all instances of NLDAP.NLM (I have no idea how many servers you have).

If that isn't it, someone could be trying to brute-force the Admin account password. Do you have a sniffer?
0
 
LVL 2

Assisted Solution

by:specman
specman earned 248 total points
ID: 11886205
You may have a process that is calling the admin account for access, ie. backup software like Arcserve.  These utilities need to have administrative access to complete various tasks; the user/password combo may be wrong thus triggering the intruder alert.  If this is your setup, you should consider using a different account with the appropriate priviledges to do the work; for instance create a BACKUP account for the backup utility to access each server or resource.
0
 

Author Comment

by:beacom
ID: 11886298
Unloaded LDAP and it still occurs. Will check out arcserve stuff tomorrow and let you know
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 34

Expert Comment

by:PsiCop
ID: 11886375
If it were the ArcServe process, then you would almost certainly get errors trying to back up your system (depending on how long the lockout lasts).
0
 
LVL 3

Expert Comment

by:roseanne
ID: 11889380
This may not be helpful (and then again it might) but if I were responsible for a network where the Admin account was getting locked out every 20 seconds, I would be on the phone with Novell tech support (assuming you are running a currently supported version -- something you haven't mentioned yet).  This sort of behavior on your network is a huge security concern.

If you are a current CNE, you get reduced rate support chats to Novell.  Not trying to diss anyone here (there are some seriously heavy-hitters that hang out here), but there are times when a BB is not where you should be looking for support help.

0
 

Author Comment

by:beacom
ID: 11891266
We rececntly changed passwords so this is why it is happening constantly not just when we backup
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11893949
That means something is trying to log in using the Admin account.

You still haven't mentioned your NetWare version, by the way.  When you reply, how 'bout you tell us the server version, AND all of the service-type software that is running on the server, not just ARCserve.  We might be able to give you advice on where to look for the wayward process and where the account is configured.

You need to find out all of the processes that are using Admin to log in, and give them their own ID's and access rights appropriate to the function.  It's not a good idea to use Admin as a service login - that should be reserved for high-level administrative activity.  It is too common that it is used for service logins, though, because it's convenient.


0
 
LVL 2

Expert Comment

by:specman
ID: 11894304
I'd have to agree with roseanne here, you've got major probs.  Obviously something (or someone) is still trying to use the Admin account with the old password.  It still sounds like some automated process to me... but you have the console in front of you, not me.  You need to do some auditing and track down what/who that is and fix it immediately.  PsiCop brings up another point; if there is an automated process at work that needs that access, you surely must be getting error messages for other items... check your backup logs to see if they are working for instance.  Run through your other logs too; such as the console log.  A good audit should turn up the culprit.
0
 

Author Comment

by:beacom
ID: 11894377
I ran n4object and it returned the following. What's with that mac address. No one is complaining. I wonder if it is an NT to Novell authentication since we are running NDS for NT


Objects that match 'admin' are:
   Distinguished Name: admin.RMH

NDS information for: .admin.RMH

Attribute Name              : Attribute Value

CN                          : admin
Login Allowed Time Map      : Length: 0x2a, Data: 0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff
Login Disabled              : FALSE
Login Grace Limit           : 2
Login Grace Remaining       : 2
Login Intruder Address      : [Na]A501FA33:8B0170001600
Login Intruder Attempts     : 2
Login Intruder Reset Time   : 08-25-2004  7:56:56 PDT
Login Script                : N4Object will not return SYN_STREAM value.
Login Time                  : 08-24-2004 12:18:56 PDT
Network Address             : [IP]172.20.6.53
Object Class                : User, Organizational Person, Person, Top, ndsLoginProperties
Password Allow Change       : TRUE
Password Minimum Length     : 7
Password Required           : TRUE
Surname                     :
Account Balance             : 0
Allow Unlimited Credit      : TRUE
Message Server              : RMH-LAB.MAIN.RMH
Language                    : ENGLISH
Locked By Intruder          : TRUE
Last Login Time             : 08-24-2004 11:35:14 PDT
Used By                     : [Root]:
GUID                        : Length: 0x10, Data: 0x0,0x57,0x76,0x92,0xa2,0x36,0x79,0xd5
GroupWise ID                : RMHDOM.10ANGLIN.Admin
NRD:Registry Index          : N4Object will not return SYN_STREAM value.
IWS:Privileges              : 1
IWS:SecurityDescriptor      : Length: 0xec, Data: 0x0,0x1,0x4,0x0,0x0,0x0,0x0,0x0
IWS:Last Logoff             : 09-23-2002  7:06:49 PDT
IWS:User Parameters         : Length: 0x378, Data: 0x0,0x6d,0x0,0x14,0x0,0xb8,0x0,0x14
IWS:Account Control         : 528
IWS:Logon Count             : 36
IWS:Country Code            : 0
IWS:Code Page               : 0
IWS:Extended Security A     : Length: 0x100, Data: 0x0,0x2c,0x44,0xca,0x12,0x2d,0xbf,0x8e
IWS:Extended Security B     : Length: 0x100, Data: 0x0,0xfc,0xf9,0x86,0x12,0xad,0xc8,0xbf
IWS:Extended Security C     : Length: 0x100, Data: 0x0,0x92,0xff,0x61,0xf8,0x82,0x89,0x4
IWS:Extended Security D     : Length: 0x100, Data: 0x0,0x9f,0xee,0xd6,0x11,0xcb,0x7b,0xd9
IWS:Group Membership        : 513;Domain Users.RMH.NT_DOMAIN.MAIN.RMH, 512;Domain Admins.RMH.NT_DOMAIN.MAIN.RMH
IWS:Alias Membership        : 551;Backup Operators.RMH.NT_DOMAIN.MAIN.RMH, 544;Administrators.RMH.NT_DOMAIN.MAIN.RMH
IWS:Bad Password Count      : 0
IWS:Bad Password Time       : 08-11-2004 12:39:20 PDT
IWS:Domain Membership       : 512;RMH.NT_DOMAIN.MAIN.RMH
modifiersName               : CN=rbeacom,OU=MAIN,O=RMH
IWS:Domain Trustees         : RMH.NT_DOMAIN.MAIN.RMH
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11894461
Ah, so its not the admin account in NDS, its the NT admin account as managed thru eDirectory via NDS for NT. Right? And the lockouts are happening in the Domain, right?
0
 

Author Comment

by:beacom
ID: 11933106
What would be the best tool to monitor which workstation the admin is being locked out from since the following address doesn't exist

Login Intruder Address      : [Na]A501FA33:8B0170001600
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11934230
Are you IPX or IP? That address may exist, its just not in a format you recognize.
0
 

Author Comment

by:beacom
ID: 11934305
Both IPX and IP
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11934600
OK, its a Very Bad Idea (tm) to bind both IPX and IP to the Novell Client 32 on the workstations. Pick one protocol or the other for NetWare communications, not both. You can have both protocols bound to the workstation's NIC, just don't bind both to the NetWare Client.
0
 
LVL 3

Assisted Solution

by:roseanne
roseanne earned 248 total points
ID: 11935688
beacom wrote:
Login Intruder Address      : [Na]A501FA33:8B0170001600


Well, looks to me like the first portion is your network number (IPX), and the second portion is the mac address.  You could certainly look at the arp table on your router or manageable switch for the mac address of the device.  Of course, look at the configs on your servers first to see what their mac addresses are seeing as it's probably a service trying to run, and services are most commonly found on servers.  You might also check any PC that has ever been used to administer the network.  Network Administrators are the worst offenders of setting up automated processes running from their own machines and then never documenting it.  BTGoT (been there, guilty of that)
0
 
LVL 3

Expert Comment

by:roseanne
ID: 11935699
btw, the NA means Non Authenticated.  In other words, whatever machine is doing this is using a Non Authenticated connections (obviously).
0
 
LVL 3

Expert Comment

by:roseanne
ID: 11935738
to explain further on the arp table.... by locating the mac address in the arp table on your switch or router, you can then identify an IP address and even a port on the switch that the machine is connected to.  Then you can look at your documentation and track down what punch down that switch port is patched to and consequently the location of the machine.

Luckily for you, it's doing it at least ever 12 seconds so the mac address will never get flushed from the arp table, thus giving you plenty of time to track it down.
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 248 total points
ID: 11937355
Also, since it's an IPX address being posted, it's possible they commonly connect to NetWare using IPX. You can browse through Monitor, Connections.  If it's someone that logs into NetWare using IPX, their connection will show up there (provided they are connected...)  Just watch as you scroll through the list for the address to change from IP to IPX format - it's easy for the distracted eye to see - and compare to your intruder's address, until you find it or run out of connections to look at.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 13470252
beacom, did you ever find the "intruder?"  Did we help?

Come back and let us know.
0
 
LVL 1

Expert Comment

by:RMHhelpdesk
ID: 13476087
I was a groupwise service account that was using the admin account. How do I accept an answer?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 13476772
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 15825826
I think there was good stuff here.  I say either paq/no refund or devise a split...
0
 
LVL 20

Expert Comment

by:Venabili
ID: 15826228
Hi ShineOn,

Nice to see you around... :) Splite between which comments?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 15827421
Oh, maybe specman {http:11886205}, PsiCop {http:11886151}, roseanne {http:11935688}, me {http:11937355} in that order?
0
 
LVL 20

Expert Comment

by:Venabili
ID: 15828735
Works for me. Thanks for the assistance
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 15828755
NP.  Thanks for doing cleanup.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
This week I attended a Startup Week Chattanooga talk on Gender Diversity in Technology. Check out what I learned.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question