• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 203
  • Last Modified:

Small Business Server - multiple attempts to login as administator - security concerns

I've been checking the logs of a Small business server and I can see that a user with an external IP address over a period of two days repeatedly attempted to login. There is a good period of 4 horus on each day where there is an incorrect login by the administrator that has failed.
I'm wondering if this is anythign to worry about. It does not seem to have happened today.

In fact I also have some related questions.

1)  Should I be worried about the above? What can I do to investigation further / lock things down?
2) I notice in the Security logs there are very many succesful security audts every few minutes. I assume these are services performing duties, but I just wanted to make sure this is normal.
3) I was once told that charning the administrator password on the server always had knock on effects and should be avoided. (As some services stop functioning etc. ) IS there any truth in this or can I change the admin pasword without much worries?

Thanks for any input on these matters.
2 Solutions
Michael WorshamInfrastructure / Solutions ArchitectCommented:
If your SBS server is externally facing (i.e. available to the general public), then you will most likely get hammered by script kiddies using scripts and other malicious tactics for attempting to login to your network. Common ports that are brute force/scanned upon: 21, 22, 25, 80, 443

One solution for preventing this is to setup an Intrusion Detection System (IDS) between your router and your SBS server or network environment. A solution which I use for my home/business system and have deployed for a number of my clients is called Untangle (www.untangle.com). Untangle is a FREE Open Source Network Gateway appliance which can act as a firewall/router or transparent bridge (fits in between your router and internal network). It has an IDS as a module and is relatively easy to install/setup/configure.

IDS Reference Site:

Untangle Application Server

Untangle Demo/Video Overview
1) Wooried? Of course. Why is it possible to logon from the internet? Is this intended?
2) This is normal
3) If the admin account is used for scheduled tasks and services, you will have to change these task passwords as well as the service pws, too. one should do documentation on where this account is used. [a better way would be to use a separate account for this goal]. But what are you trying to do? Make the password stronger? It does not seem as though the pw is already known to these attackers, does it?
Does this server have FTP services running?
afflik1923Author Commented:
Thanks for input

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now