Small Business Server - multiple attempts to login as administator - security concerns

Posted on 2009-12-20
Last Modified: 2013-12-04
I've been checking the logs of a Small business server and I can see that a user with an external IP address over a period of two days repeatedly attempted to login. There is a good period of 4 horus on each day where there is an incorrect login by the administrator that has failed.
I'm wondering if this is anythign to worry about. It does not seem to have happened today.

In fact I also have some related questions.

1)  Should I be worried about the above? What can I do to investigation further / lock things down?
2) I notice in the Security logs there are very many succesful security audts every few minutes. I assume these are services performing duties, but I just wanted to make sure this is normal.
3) I was once told that charning the administrator password on the server always had knock on effects and should be avoided. (As some services stop functioning etc. ) IS there any truth in this or can I change the admin pasword without much worries?

Thanks for any input on these matters.
Question by:afflik1923
    LVL 29

    Accepted Solution

    If your SBS server is externally facing (i.e. available to the general public), then you will most likely get hammered by script kiddies using scripts and other malicious tactics for attempting to login to your network. Common ports that are brute force/scanned upon: 21, 22, 25, 80, 443

    One solution for preventing this is to setup an Intrusion Detection System (IDS) between your router and your SBS server or network environment. A solution which I use for my home/business system and have deployed for a number of my clients is called Untangle ( Untangle is a FREE Open Source Network Gateway appliance which can act as a firewall/router or transparent bridge (fits in between your router and internal network). It has an IDS as a module and is relatively easy to install/setup/configure.

    IDS Reference Site:

    Untangle Application Server

    Untangle Demo/Video Overview
    LVL 52

    Assisted Solution

    1) Wooried? Of course. Why is it possible to logon from the internet? Is this intended?
    2) This is normal
    3) If the admin account is used for scheduled tasks and services, you will have to change these task passwords as well as the service pws, too. one should do documentation on where this account is used. [a better way would be to use a separate account for this goal]. But what are you trying to do? Make the password stronger? It does not seem as though the pw is already known to these attackers, does it?
    LVL 4

    Expert Comment

    Does this server have FTP services running?

    Author Closing Comment

    Thanks for input

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now