> I've just reviewed a short range of security logs on a > W2k/IIS box and there is an over abundance of repeated > invalid login attempts. The attempts seem to focus on > weak user ids (ie; admin, administrator, root, sql, > etc.). However I've seen a few successful "anonymous" > login/logouts.
Depending on your architecture, it sounds as if this W2K box isn't behind any sort of firewall...or if it is, ports 139/445 may be let through. Either way, both are Very Bad Things(tm). If you're looking at the Security EventLog, then the IIS server is pretty irrelevant, unless you're using some sort of OWA or the IIS server is processing some kind of authentication. > My two questions are.. is the "anonymous" login > something to be concerned about and what's the best > way(s) to gather more relevant log data about the source > of the attacks beyond the scant information provided in > the Security log (machine name, time/date). Is there a > way to capture the IP address of the source? 1. Again, depending on how the infrastructure is set up, these anonymous logins could be normal traffic, or they could be attempts at null session connects. Without more detailed information, a definitive answer isn't possible. 2. Install snort. It's free, and you can set up rules to capture just stuff to the particular ports on the box. The W2K EventLog doesn't capture IP addresses by itself...but snort will go a long way toward helping you with this. HTH, Harlan __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
