Brute force attempts from Alert Logic Appliance

Comments

3 comments

  • Official comment
    Avatar
    Abby Kincer

    Anthony Mueller - thanks for reaching out! I'm sorry to hear about this issue and I'm confident our Support team can help you identify what's going on. Because we'll need a bit more specific information about your  environment, I'm going to open a ticket for you with the Support team - keep an eye on your email for that ticket. Please feel free to reach out with any additional questions or issues!

    Comment actions Permalink
  • Avatar
    Tessa Blackmon

    Anthony Mueller did you get an answer on this? I'm having the same issue recently within our environment with 1 IP address getting 300K+ request from Alert Logic Appliance and it seem to be during the default discovery scan timeframe.

    0
    Comment actions Permalink
  • Avatar
    Anthony Mueller

    Apologies I never responded back on this back when we figured it out.

    So basically what was learned is AlertLogic appliances do run scheduled brute force attempts on a list of generic accounts which includes 'Administrator' to test security etc. After a lot of discussions, several things happened. One, I believe we had the IP of the appliance whitelisted so it wouldn't keep reporting itself. Then two, per MS best practice we created a new administrator account with another name and then disabled the default 'Administrator' account on the server.

    0
    Comment actions Permalink

Please sign in to leave a comment.