Solved

Intruder Lockout

Posted on 2004-08-24
29
1,009 Views
Last Modified: 2011-09-20
The admin account keeps getting locked every 20 seconds. In Console One is last last address was 12 I thought this might be connection ID but I don't think so.
0
Comment
Question by:beacom
  • 7
  • 5
  • 5
  • +4
29 Comments
 
LVL 34

Accepted Solution

by:
PsiCop earned 64 total points
ID: 11886151
The last address will vary depending on if you're in a TCP/IP or IPX environment. You didn't bother to specify what VERSION of NetWare you have, but I would look at things like LDAP. If you run LDAP, something somewhere else on your network might be running rampant and making tons of LDAP calls, making the account lock repeatedly.

Try unloading all instances of NLDAP.NLM (I have no idea how many servers you have).

If that isn't it, someone could be trying to brute-force the Admin account password. Do you have a sniffer?
0
 
LVL 2

Assisted Solution

by:specman
specman earned 62 total points
ID: 11886205
You may have a process that is calling the admin account for access, ie. backup software like Arcserve.  These utilities need to have administrative access to complete various tasks; the user/password combo may be wrong thus triggering the intruder alert.  If this is your setup, you should consider using a different account with the appropriate priviledges to do the work; for instance create a BACKUP account for the backup utility to access each server or resource.
0
 

Author Comment

by:beacom
ID: 11886298
Unloaded LDAP and it still occurs. Will check out arcserve stuff tomorrow and let you know
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11886375
If it were the ArcServe process, then you would almost certainly get errors trying to back up your system (depending on how long the lockout lasts).
0
 
LVL 3

Expert Comment

by:roseanne
ID: 11889380
This may not be helpful (and then again it might) but if I were responsible for a network where the Admin account was getting locked out every 20 seconds, I would be on the phone with Novell tech support (assuming you are running a currently supported version -- something you haven't mentioned yet).  This sort of behavior on your network is a huge security concern.

If you are a current CNE, you get reduced rate support chats to Novell.  Not trying to diss anyone here (there are some seriously heavy-hitters that hang out here), but there are times when a BB is not where you should be looking for support help.

0
 

Author Comment

by:beacom
ID: 11891266
We rececntly changed passwords so this is why it is happening constantly not just when we backup
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 11893949
That means something is trying to log in using the Admin account.

You still haven't mentioned your NetWare version, by the way.  When you reply, how 'bout you tell us the server version, AND all of the service-type software that is running on the server, not just ARCserve.  We might be able to give you advice on where to look for the wayward process and where the account is configured.

You need to find out all of the processes that are using Admin to log in, and give them their own ID's and access rights appropriate to the function.  It's not a good idea to use Admin as a service login - that should be reserved for high-level administrative activity.  It is too common that it is used for service logins, though, because it's convenient.


0
 
LVL 2

Expert Comment

by:specman
ID: 11894304
I'd have to agree with roseanne here, you've got major probs.  Obviously something (or someone) is still trying to use the Admin account with the old password.  It still sounds like some automated process to me... but you have the console in front of you, not me.  You need to do some auditing and track down what/who that is and fix it immediately.  PsiCop brings up another point; if there is an automated process at work that needs that access, you surely must be getting error messages for other items... check your backup logs to see if they are working for instance.  Run through your other logs too; such as the console log.  A good audit should turn up the culprit.
0
 

Author Comment

by:beacom
ID: 11894377
I ran n4object and it returned the following. What's with that mac address. No one is complaining. I wonder if it is an NT to Novell authentication since we are running NDS for NT


Objects that match 'admin' are:
   Distinguished Name: admin.RMH

NDS information for: .admin.RMH

Attribute Name              : Attribute Value

CN                          : admin
Login Allowed Time Map      : Length: 0x2a, Data: 0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff
Login Disabled              : FALSE
Login Grace Limit           : 2
Login Grace Remaining       : 2
Login Intruder Address      : [Na]A501FA33:8B0170001600
Login Intruder Attempts     : 2
Login Intruder Reset Time   : 08-25-2004  7:56:56 PDT
Login Script                : N4Object will not return SYN_STREAM value.
Login Time                  : 08-24-2004 12:18:56 PDT
Network Address             : [IP]172.20.6.53
Object Class                : User, Organizational Person, Person, Top, ndsLoginProperties
Password Allow Change       : TRUE
Password Minimum Length     : 7
Password Required           : TRUE
Surname                     :
Account Balance             : 0
Allow Unlimited Credit      : TRUE
Message Server              : RMH-LAB.MAIN.RMH
Language                    : ENGLISH
Locked By Intruder          : TRUE
Last Login Time             : 08-24-2004 11:35:14 PDT
Used By                     : [Root]:
GUID                        : Length: 0x10, Data: 0x0,0x57,0x76,0x92,0xa2,0x36,0x79,0xd5
GroupWise ID                : RMHDOM.10ANGLIN.Admin
NRD:Registry Index          : N4Object will not return SYN_STREAM value.
IWS:Privileges              : 1
IWS:SecurityDescriptor      : Length: 0xec, Data: 0x0,0x1,0x4,0x0,0x0,0x0,0x0,0x0
IWS:Last Logoff             : 09-23-2002  7:06:49 PDT
IWS:User Parameters         : Length: 0x378, Data: 0x0,0x6d,0x0,0x14,0x0,0xb8,0x0,0x14
IWS:Account Control         : 528
IWS:Logon Count             : 36
IWS:Country Code            : 0
IWS:Code Page               : 0
IWS:Extended Security A     : Length: 0x100, Data: 0x0,0x2c,0x44,0xca,0x12,0x2d,0xbf,0x8e
IWS:Extended Security B     : Length: 0x100, Data: 0x0,0xfc,0xf9,0x86,0x12,0xad,0xc8,0xbf
IWS:Extended Security C     : Length: 0x100, Data: 0x0,0x92,0xff,0x61,0xf8,0x82,0x89,0x4
IWS:Extended Security D     : Length: 0x100, Data: 0x0,0x9f,0xee,0xd6,0x11,0xcb,0x7b,0xd9
IWS:Group Membership        : 513;Domain Users.RMH.NT_DOMAIN.MAIN.RMH, 512;Domain Admins.RMH.NT_DOMAIN.MAIN.RMH
IWS:Alias Membership        : 551;Backup Operators.RMH.NT_DOMAIN.MAIN.RMH, 544;Administrators.RMH.NT_DOMAIN.MAIN.RMH
IWS:Bad Password Count      : 0
IWS:Bad Password Time       : 08-11-2004 12:39:20 PDT
IWS:Domain Membership       : 512;RMH.NT_DOMAIN.MAIN.RMH
modifiersName               : CN=rbeacom,OU=MAIN,O=RMH
IWS:Domain Trustees         : RMH.NT_DOMAIN.MAIN.RMH
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11894461
Ah, so its not the admin account in NDS, its the NT admin account as managed thru eDirectory via NDS for NT. Right? And the lockouts are happening in the Domain, right?
0
 

Author Comment

by:beacom
ID: 11933106
What would be the best tool to monitor which workstation the admin is being locked out from since the following address doesn't exist

Login Intruder Address      : [Na]A501FA33:8B0170001600
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 11934230
Are you IPX or IP? That address may exist, its just not in a format you recognize.
0
 

Author Comment

by:beacom
ID: 11934305
Both IPX and IP
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 34

Expert Comment

by:PsiCop
ID: 11934600
OK, its a Very Bad Idea (tm) to bind both IPX and IP to the Novell Client 32 on the workstations. Pick one protocol or the other for NetWare communications, not both. You can have both protocols bound to the workstation's NIC, just don't bind both to the NetWare Client.
0
 
LVL 3

Assisted Solution

by:roseanne
roseanne earned 62 total points
ID: 11935688
beacom wrote:
Login Intruder Address      : [Na]A501FA33:8B0170001600


Well, looks to me like the first portion is your network number (IPX), and the second portion is the mac address.  You could certainly look at the arp table on your router or manageable switch for the mac address of the device.  Of course, look at the configs on your servers first to see what their mac addresses are seeing as it's probably a service trying to run, and services are most commonly found on servers.  You might also check any PC that has ever been used to administer the network.  Network Administrators are the worst offenders of setting up automated processes running from their own machines and then never documenting it.  BTGoT (been there, guilty of that)
0
 
LVL 3

Expert Comment

by:roseanne
ID: 11935699
btw, the NA means Non Authenticated.  In other words, whatever machine is doing this is using a Non Authenticated connections (obviously).
0
 
LVL 3

Expert Comment

by:roseanne
ID: 11935738
to explain further on the arp table.... by locating the mac address in the arp table on your switch or router, you can then identify an IP address and even a port on the switch that the machine is connected to.  Then you can look at your documentation and track down what punch down that switch port is patched to and consequently the location of the machine.

Luckily for you, it's doing it at least ever 12 seconds so the mac address will never get flushed from the arp table, thus giving you plenty of time to track it down.
0
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 62 total points
ID: 11937355
Also, since it's an IPX address being posted, it's possible they commonly connect to NetWare using IPX. You can browse through Monitor, Connections.  If it's someone that logs into NetWare using IPX, their connection will show up there (provided they are connected...)  Just watch as you scroll through the list for the address to change from IP to IPX format - it's easy for the distracted eye to see - and compare to your intruder's address, until you find it or run out of connections to look at.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 13470252
beacom, did you ever find the "intruder?"  Did we help?

Come back and let us know.
0
 
LVL 1

Expert Comment

by:RMHhelpdesk
ID: 13476087
I was a groupwise service account that was using the admin account. How do I accept an answer?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 13476772
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 15825826
I think there was good stuff here.  I say either paq/no refund or devise a split...
0
 
LVL 20

Expert Comment

by:Venabili
ID: 15826228
Hi ShineOn,

Nice to see you around... :) Splite between which comments?
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 15827421
Oh, maybe specman {http:11886205}, PsiCop {http:11886151}, roseanne {http:11935688}, me {http:11937355} in that order?
0
 
LVL 20

Expert Comment

by:Venabili
ID: 15828735
Works for me. Thanks for the assistance
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 15828755
NP.  Thanks for doing cleanup.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
HP NIC Driver ? 12 667
How to import SSL certificate into iFolder server? 2 732
Sync Widnows 2008 Active Directory with eDirectory 5 1,430
iPrint Error 0x406 12 1,261
What is Backup? Backup software creates one or more copies of the data on your digital devices in case your original data is lost or damaged. Different backup solutions protect different kinds of data and different combinations of devices. For e…
Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now