Brute Force attempts

[Esteve]

Hello.

We have a server with a lot of brute force attacks

RDP: 3389

SQL: 1433

We can see in event viewer two repeated events (failed loing attempts)

eventID: 4625 Microsoft Windows Security Auditing

eventID: 18456 MSSQLSERVER

 

We want to receive a notification when we receive "5 o more"  failed login attempts in RDP and SQL.

Can we use "Pulseway Counters" or "Pulseway evenlog"? How?

[Chris]

Hi Esteve,

Currently Pulseway can notify you about all failed login attempts, if you configure the Event log filter (open the Pulseway Manager -> Notifications -> Event Log -> tick the checkbox -> Add and configure it) to notify you about these notifications an select option (allow repeating notifications) or notify you only once, if you do not select this option.

Why don't you simply block the access to this server from unknown IP addresses? You can configure this using Firewall or ACL's.

[Esteve]

Hello,

In the future we will block access to this server from unknown IP addresses, but now, we want to receive a notification "ONLY" when we receive "5 o more"  failed login attempts in RDP and SQL.

I try  "Pulseway Counters", but don't work...Any idea?

 

[Chris]

Hi Esteve,

You can try to create a SQL query which will trigger the notification if the failed login attempt count is greater than 5 (http://sqlmonitormetrics.red-gate.com/failed-sql-server-logins/). Please check the Pulseway User Manual page 67 - 68.

Also, you can try to use user settable performance counters. And then try to configure the Pulseway to send the notification if the performance counter is greater than 5 (see the Pulseway User Manual page 63).