The server was unable to logon the Windows NT account 'emb' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

i am getting this error many times in event viewer

any suggestion how to fix it . So that the hacker who wants to enter my clients account can be traced + stopped

Block the IP using a firewall or IPSec.

Leave a server up and you will see these attempts constantly - provided you're using decent passwords there's nothing to worry about, water off a ducks back.

You can block the IP's but it's likely a waste of time as it'll be a dynamic IP and the 'attacker' will come back using another tomorrow meanwhile you've blocked whatever legit visitor gets that IP next.

The only thing that *might* worry me - is there a user called 'emb' on your server ? If not it's just random probing.

If there is a user with that name then you should think about how they got that username and take step to rename the user to something else.

i have changed the user name for that domain but still having same error login failed . Can any one tell me any software for getting the ip who is trying to brute force in the login ...

The IP will be in one of the event log entries - a failed login attempt usually generates two or three entries, check them all. However, don't worry about it, it's just the way things are.

Do you know something like BFD on *nix systems ... ?
Just to avoid alot of tries on the various services!

Yep, there is a security option to lock an account after certain amount of log in failures. Be aware if someone brute forces admin account, it could be locked til that login failure clears. Not exactly BFD but it will still help out.

Just to put some numbers behind whats already been said:

My main Windows server averages 60-300 login attempts per day (24 hour span). My FTP server gets hit like crazy, I gave up trying to count them. Mail sever, not a single hit in almost a year.

Since I started managing servers I have never had a successful login to any account like this. I do use very strong passwords so I just really don't worry about it too much. IDS takes care of Brute Forcers before they even get close to cracking the login.

Running any server, but especially Windows based, you will always see these types of logins. 99.9% of these are nothing more than script kiddies and wannabes seeing if they can get lucky.

The audience you appeal to will also have a major effect on how many of these attempts you receive. If you run, host, or sell game servers...... get ready to see your logs fill up. There are others but game server hosts are probably the most common around here.

What do you use as IDS ?
and configured in which manner ?

how do you rotate and compress logs for the various daemons?



tnx for any reply

We use a Cisco IDS 4235 appliance. It made us realize that we recieved much, much more BF attempts than we originaly thought. Fortunatly we found this unit on eBay for 1/4 of the price of a brand new unit.

Configuration is pretty basic other than the custom rule sets. If you've ever setup IPSec rules then the sets on the Cisco appliances are a cake walk.

The question about logs got me, I'm not quite sure exactly what you mean. All the logs are served on the Web Server built into the appliance and/or can be sent through the network in several different formats to be viewed by an event viewer program.

I probably shouldn't have said anything about IDS in that post since it didn't apply to my servers here at SM but I must have got caught up in the typing.... sorry for any confusion.