Link to home
Start Free TrialLog in
Avatar of Zombite
Zombite

asked on

Advapi and inetinfo logon attempts - IP logging utility available ?

I know there are varous methods for using network monitoring like wireshark to obtain IP details on attempts to logon to the server via web or other inet processes   but unless you are monitoring them at the time, then you are left with microsoft logging which is a total waste of time  as they dont log the ip address of the offending person.

eg                 Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      admin
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER1
       Caller User Name:      SERVER1$
       Caller Domain:      HXXXXXXXXP
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5568
       Transited Services:      -
       Source Network Address:      -

Is there no utility or program that will log who is trying to break into my server from the internet so I can either block the address or report the offender to the ISP ? Even the MS logfile offer no clues.

It seems stupid for a system not to be able to log who is connecting to what process and failing to provide a correct password several hundred times.

So the points are for some one pointing me to a utility, process or program that will sit on a sbs or standard 2003 server and report who is trying to break into the server and I test the solution and it works.

Ed.
Avatar of Bryon H
Bryon H
Flag of United States of America image

your default smtp server is ran by inetinfo (iis)

what you're seeing there is a failed attempt on smtp, some spammers trying to guess usernames/passwords in base64 format.

you'll find the ip address in your iis logs (C:\WINDOWS\System32\LogFiles\smtpsvc1 or whatever you called it), but only if you enabled logging, with the ip address selected.

in exchange system manager, find your default smtp virtual server, right click, properties, enable logging, pick a destination folder, check out the advanced options under the 'properties' button right next to the path.  fill out how often you want the logs to recreate themselves, and go to the advanced tab, checkmark things that interest you.  suggest you checkmark 'use local time' so you don't have to constantly do the math off GMT.

once you have them in log files, you can flip them around in excel however you want


Avatar of Zombite
Zombite

ASKER

The inetinfo handles also web access etc - The smtp logging is already turned on but shows no attempts at that time so I am assuming it is either owa, web page logons or other iis services.
It is frustrating to have 600 odd attempts at logon and to have no log of the ip address.
I am considering using onevent and snort maybe - fire it up when it gets a logon attempt.
But I hoped there were more elagant solutions out there.

I find this comment typical of microsoft. I would feel happier if I could log the IP - block it and or contact the ISP to get the user cut off for hacking attempts.

Since there are Web sites on the SBS server such as RWW/OWA that are
published to the Internet, this is an "expected" behavior because anyone
can attempt to logon to the sites. Fortunately, the SBS server will block
the access because there is no such user account in AD or the password does
not match.

Therefore, if you are confident on the passwords, we can skip the errors.  <-------?????

Please feel free to let me know if you have any further concerns or
questions regarding the issue.

Best regards,

Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support
ASKER CERTIFIED SOLUTION
Avatar of Bryon H
Bryon H
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial