Part 1: Blocking Bad Hosts - Finding Them, Easily

Down­load Script: get-bad-hosts.zip

While trou­bleshoot­ing some issues on an OWA Front-End serv­er, I went over to the secu­ri­ty log to see if the authen­ti­ca­tion attempts were get­ting past this box. The prob­lem I found was the log was so full of failed logon attempts it was dif­fi­cult to fil­ter out what I was look­ing for. In a twelve hour peri­od, there were thou­sands of 529 events in the secu­ri­ty log. Now, I know this is noth­ing new, but I found a few pat­terns. I man­u­al­ly export­ed the log to a CSV, parsed out all the source ip address­es and opened it up in Excel. What I found was that 98.7% of failed logon attempts were made by just four dif­fer­ent ip address­es.  (I rec­om­mend using MaxMind’s GeoIP Address Loca­tor for help in deter­min­ing where the source address­es are locat­ed.) Read More