Security Audit Failures - Brute Force Attack?

Posted on 2009-04-13
Last Modified: 2013-11-16
I've get 1000's of these on my citrix server daily:

The IP's change so rapidly and never used twice.  I know this is a brute force attack but I wanted a second opinion from the experts exchange guru's.  Also, any suggestions on how to counter or defend this would be greatly appreciated. Thanks in advance...


Event Type:	Failure Audit

Event Source:	Security

Event Category:	Logon/Logoff 

Event ID:	539

Date:		4/12/2009

Time:		9:56:50 PM




Logon Failure:

 	Reason:		Account locked out

 	User Name:	ADMIN


 	Logon Type:	3

 	Logon Process:	NtLmSsp 

 	Authentication Package:	NTLM

 	Workstation Name:	\\LOCALHOST

 	Caller User Name:	-

 	Caller Domain:	-

 	Caller Logon ID:	-

 	Caller Process ID: -

 	Transited Services: -

 	Source Network Address:

 	Source Port:	0

For more information, see Help and Support Center at


Open in new window

Question by:whitehornet
  • 2
  • 2
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
What Citrix components are installed on your server?
What is sitting in front of the server?

Author Comment

Comment Utility
Citrix Presentation Server 4.5
License Server v11
Web Apps

Sonicwall 2040 is sitting in front of the server.  I have port 80 open on this server for Web Apps to be streamed to clients.

LVL 36

Expert Comment

by:Carl Webster
Comment Utility
That is a very unsecure setup you have there.

Citrix recommends that the web interface be installed on a separate server and to use the free Citrix Secure Gateway software to protect the servers.  It will look like this:

Internet -> SW2040 -> port 443-> CSG/WI -> PS4.5 server

Don't use CSG 3.1 as it removed support for streamed apps.

I wrote a 3-part article on implementing CSG/WI and a wildcard ssl cert on a single server. is Part 1.

Author Comment

Comment Utility
Thank you... I inherited this setup and am trying to convice the owners to purchase new server so this helps validate my recommendation.  I will review article and then comment.  Thanks again...

Accepted Solution

scwoa earned 500 total points
Comment Utility
In the log above, it states that

>>Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      \\LOCALHOST

NTLM usually means that someone is trying to map a drive.
You should double check your firewall and make sure that ports 135, 137, 139, and 445 are NOT open to the internet.

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now