re: Brute-force and IIS/w2k logs

[Harlan Carvey <keydet89 () yahoo com>]

> I've just reviewed a short range of security logs on
a
> W2k/IIS box and there is an over abundance of
repeated 
> invalid login attempts.  The attempts seem to focus
on 
> weak user ids (ie; admin, administrator, root, sql, 
> etc.).  However I've seen a few successful
"anonymous" 
> login/logouts.

Depending on your architecture, it sounds as if this
W2K box isn't behind any sort of firewall...or if it
is, ports 139/445 may be let through.  Either way,
both are Very Bad Things(tm).  

If you're looking at the Security EventLog, then the
IIS server is pretty irrelevant, unless you're using
some sort of OWA or the IIS server is processing some
kind of authentication.  

> My two questions are.. is the "anonymous" login 
> something to be concerned about and what's the best 
> way(s) to gather more relevant log data about the
source 
> of the attacks beyond the scant information provided
in 
> the Security log (machine name, time/date).  Is
there a 
> way to capture the IP address of the source?

1.  Again, depending on how the infrastructure is set
up, these anonymous logins could be normal traffic, or
they could be attempts at null session connects. 
Without more detailed information, a definitive answer
isn't possible.

2.  Install snort.  It's free, and you can set up
rules to capture just stuff to the particular ports on
the box.  The W2K EventLog doesn't capture IP
addresses by itself...but snort will go a long way
toward helping you with this.

HTH,

Harlan



__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics