We have a computer that is get a ton of failed log in attempts. I have the ip of the person that is trying to log in. I would like to find out more about where it is coming from. I i did a whois lookup but it didn't really help and I did a trace route but that didn't help.
How do i find out where/who it is?
October 23rd, 2009, 06:10 PM
did the whois come up with anything of use?
October 23rd, 2009, 07:11 PM
Try this site. See if the hostname will give you any clues:
that was better then the whois site. it said it was from China which is not what arin said. http://ws.arin.net/whois/ said the country is AU. Is there anything I can do other then block that port on the firewall. I am guessing its just a script based on the random names they are trying to log in with.
October 24th, 2009, 04:14 AM
Is it SSH? I have heard that a lot of SSH bruteforce attacks are coming from Chinese IPs. Now, whether or not the attacks are actually originating there is another issue.
October 24th, 2009, 09:37 PM
is it a service that is required to be open to everyone? eg. if you're in the USA, and its for employees to do remote desktop, then you could block foreign ip's to that port (set of ports) if its supposed to be open for people to connect to, then your only real option is to block individual ip's that become abusive. Alternatively you can work with IDS & IPS on your perimeter to have them stopped at the edges based on their actions. You would set reasonable limits.. 5 attempts in a short period of time might be ok, but 10 in that same time frame would indicate attack. etc..
October 25th, 2009, 05:55 AM
You can just setup the event viewer to not keep a log everytime worms grind services or when users turns on the computer and forget their login details.
October 26th, 2009, 09:21 PM
yup its ssh attempts. thanks for the help everyone
October 28th, 2009, 03:44 PM
Can you configure the firewall to simply block that IP address?