Attack on Server?

[broche]

Hi all,

Clarion 9.1
NT 8.34
Windows Server 2012 on a VM, running under XenCenter

As I watch the log for the NT server app I see about 4 attempts a second from the same IP on the LoginForm.  It does not seem like it is trying to login as I collect failed attempts at login and don't see that in the table. 

Don't understand what is happening here but I am presuming that it is an attack on the server?  It then started on another IP address.
I managed to block one of the Ip's using windows firewall inbound rule (I think, it might have just stopped?)  I could not seem to block the other IP address.

I looked up the owners of the IP addresses and they are AT&T and Comcast.  These are just the ISP's I am presuming.  I report the Comcast one but could not figure out how do do it on AT&T's site.

All seem to have stopped now.

Any ideas or explanations would be appreciated.

Brian.

[Bruce]

Hi Brian,

I'm assuming you've set the login page as your "default page"? Or not?

Personally I don't get too worried about this sort of thing. If you watch your server for any length of time you'll see dozens of attacks pretty much daily. You'll also see Googbots and the like spidering through your (public) site and so on. This is all pretty "normal" web traffic.

Sure it can be exciting the first time you see it happen, but it's pretty much ops normal, and to be expected. You've opened a port - people are sending requests on that port - it's kinda just working as it's designed to work.

Of course, assuming you've kept your NetTalk reasonably up to date, the attacks fail. Short of brute-forcing the login screen, I'm not aware of any attack vector that will succeed.

cheers
Bruce

[broche]

Thanks, yep first time I have seen it and was typically paranoid.

[broche]

My default page is IndexPage LoginPage is LoginForm
should this be different?

[Bruce]

no, that setup is fine.
Does IndexPage require a login?

cheers
Bruce