Brute force attempts from Alert Logic Appliance
So we've received some alerts from Alert Logic indicating the Administrator account is getting locked out. Upon closer inspection on the server these alerts point too it appears the server is seeing a whole flood of login attempts from miscellaneous accounts. I enabled netlogon auditing to get a better idea of where these logons are coming from and the logs are all pointing to the Alert Logic appliance as the culprit. Is there some sort of service or task that Alert Logic Appliances run that triggers these logins? It happens around the same time every night.
Anthony Mueller - thanks for reaching out! I'm sorry to hear about this issue and I'm confident our Support team can help you identify what's going on. Because we'll need a bit more specific information about your environment, I'm going to open a ticket for you with the Support team - keep an eye on your email for that ticket. Please feel free to reach out with any additional questions or issues!
Anthony Mueller did you get an answer on this? I'm having the same issue recently within our environment with 1 IP address getting 300K+ request from Alert Logic Appliance and it seem to be during the default discovery scan timeframe.0
Apologies I never responded back on this back when we figured it out.
So basically what was learned is AlertLogic appliances do run scheduled brute force attempts on a list of generic accounts which includes 'Administrator' to test security etc. After a lot of discussions, several things happened. One, I believe we had the IP of the appliance whitelisted so it wouldn't keep reporting itself. Then two, per MS best practice we created a new administrator account with another name and then disabled the default 'Administrator' account on the server.0
Please sign in to leave a comment.