Anonymous_User Absent Member.
Absent Member.
692 views

How to debug failed logins

Hello all,

I have 1 server that no matter what, when I go in NoRM, I have a few dozen failed login attempts per hour, sending it into the "bad health" category.

It is Netware OES 6.5 sp6. It is our main file server, iPrint Broker and Manager, Virtual Office, iManager 2.6, DHCP/DNS, Novell Storage Manager (Files system factory sentinel) and Sophos AV.

I have dozens of these errors per hour.

Time: Monday, 2-12-2007 3:17 pm
Address: IP 172.20.00.02
User: .CN=Admin.O=XXX.T=ZZZZ.


Is there some way to figure out what is trying to login or where it is coming from? My assumption is that there is some service on the server that is trying to authenticate to do something. I am not sure what or where it is located.

Sincerely,

Tom
Labels (2)
0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How to debug failed logins

The ip address that is listed is the IP address of this server.

Tom


>>> Tom Hafemann<THafemann@csd.k12.wi.us> 2/12/2007 3:32 PM >>>


Hello all,

I have 1 server that no matter what, when I go in NoRM, I have a few dozen failed login attempts per hour, sending it into the "bad health" category.

It is Netware OES 6.5 sp6. It is our main file server, iPrint Broker and Manager, Virtual Office, iManager 2.6, DHCP/DNS, Novell Storage Manager (Files system factory sentinel) and Sophos AV.

I have dozens of these errors per hour.

Time: Monday, 2-12-2007 3:17 pm
Address: IP 172.20.00.02
User: .CN=Admin.O=XXX.T=ZZZZ.


Is there some way to figure out what is trying to login or where it is coming from? My assumption is that there is some service on the server that is trying to authenticate to do something. I am not sure what or where it is located.

Sincerely,

Tom
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to debug failed logins

On 13/02/07 Tom Hafemann wrote:
> My assumption is that there is some service on the server that is
> trying to authenticate to do something.


Correct!


> I am not sure what or where it is located.


Neither are we 🙂 Most likely it is a backup app, AV app, or similar. It
will have been configured to authenticate to the server as the admin
user, and that user's password was probably changed so the one the app
knowns about is obsolete. Most Novell products don't authenticate to
servers with a USer ID so it is unlikely to be any of those.
--
Andrew C Taubman
Novell Support Forums Volunteer SysOp
http://support.novell.com/forums
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to debug failed logins

Arg! I thought that maybe there was some magic out there, but I knew otherwise. 😞

I thought there might have been something Virtual office, some weird NetStorage thing, or something REALLY buried deep in tomcat.

Oh well, silly me for changing the admin password, or using it for EVERYTHING in the first place, instead of creating utility accounts.

Tom


>>> Andrew C Taubman<ataubman.RemoveThisToMailMe@novell.AndThis.com> 2/12/2007 4:23 PM >>>

On 13/02/07 Tom Hafemann wrote:
> My assumption is that there is some service on the server that is
> trying to authenticate to do something.


Correct!


> I am not sure what or where it is located.


Neither are we 🙂 Most likely it is a backup app, AV app, or similar. It
will have been configured to authenticate to the server as the admin
user, and that user's password was probably changed so the one the app
knowns about is obsolete. Most Novell products don't authenticate to
servers with a USer ID so it is unlikely to be any of those.
--
Andrew C Taubman
Novell Support Forums Volunteer SysOp
http://support.novell.com/forums
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to debug failed logins

D.d. Mon, 12 Feb 2007 22:39:19 GMT, "Tom Hafemann"
<THafemann@csd.k12.wi.us> schreef het volgende:

Hi,

It is also a feature of FTP, coz some ftp programs do try to login the
first time without a password.

>Arg! I thought that maybe there was some magic out there, but I knew otherwise. 😞
>
>I thought there might have been something Virtual office, some weird NetStorage thing, or something REALLY buried deep in tomcat.
>
>Oh well, silly me for changing the admin password, or using it for EVERYTHING in the first place, instead of creating utility accounts.
>
>Tom
>
>
>>>> Andrew C Taubman<ataubman.RemoveThisToMailMe@novell.AndThis.com> 2/12/2007 4:23 PM >>>

>On 13/02/07 Tom Hafemann wrote:
>> My assumption is that there is some service on the server that is
>> trying to authenticate to do something.

>
>Correct!
>
>
>> I am not sure what or where it is located.

>
>Neither are we 🙂 Most likely it is a backup app, AV app, or similar. It
>will have been configured to authenticate to the server as the admin
>user, and that user's password was probably changed so the one the app
>knowns about is obsolete. Most Novell products don't authenticate to
>servers with a USer ID so it is unlikely to be any of those.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to debug failed logins

BackupExec drove me crazy for a while before I figured out it held my
password for itself, so every time I changed my password my backups would
fail to authenticate. And i had to recreate the jobs because i could no
longer access them (reads doublepain).
I created a user that didn't have to change their password to fix it.
Just somee place you might look.


> Arg! I thought that maybe there was some magic out there, but I knew =
> otherwise. 😞
>
> I thought there might have been something Virtual office, some weird =
> NetStorage thing, or something REALLY buried deep in tomcat.
>
> Oh well, silly me for changing the admin password, or using it for =
> EVERYTHING in the first place, instead of creating utility accounts.
>
> Tom
>
>
> >>> Andrew C Taubman<ataubman.RemoveThisToMailMe@novell.AndThis.com> =

> 2/12/2007 4:23 PM >>>
> On 13/02/07 Tom Hafemann wrote:
> > My assumption is that there is some service on the server that is=20
> > trying to authenticate to do something.

>
> Correct!
>
>
> > I am not sure what or where it is located.=20

>
> Neither are we 🙂 Most likely it is a backup app, AV app, or similar. It
> will have been configured to authenticate to the server as the admin
> user, and that user's password was probably changed so the one the app
> knowns about is obsolete. Most Novell products don't authenticate to
> servers with a USer ID so it is unlikely to be any of those.
> --=20
> Andrew C Taubman
> Novell Support Forums Volunteer SysOp
> http://support.novell.com/forums
> (Sorry, support is not provided via e-mail)
>
> Opinions expressed above are not
> necessarily those of Novell Inc.
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to debug failed logins

Have you tried loading the DSTRACE.NLM with the AUTH and NMAS flags
enabled? Make sure you have the Time and Tags flags set as well and of
course, write it to file.

Just a thought.

> BackupExec drove me crazy for a while before I figured out it held my
> password for itself, so every time I changed my password my backups

would
> fail to authenticate. And i had to recreate the jobs because i could no
> longer access them (reads doublepain).
> I created a user that didn't have to change their password to fix it.
> Just somee place you might look.
>
>
> > Arg! I thought that maybe there was some magic out there, but I knew =
> > otherwise. 😞
> >
> > I thought there might have been something Virtual office, some weird =
> > NetStorage thing, or something REALLY buried deep in tomcat.
> >
> > Oh well, silly me for changing the admin password, or using it for =
> > EVERYTHING in the first place, instead of creating utility accounts.
> >
> > Tom
> >
> >
> > >>> Andrew C Taubman<ataubman.RemoveThisToMailMe@novell.AndThis.com> =

> > 2/12/2007 4:23 PM >>>
> > On 13/02/07 Tom Hafemann wrote:
> > > My assumption is that there is some service on the server that is=20
> > > trying to authenticate to do something.

> >
> > Correct!
> >
> >
> > > I am not sure what or where it is located.=20

> >
> > Neither are we 🙂 Most likely it is a backup app, AV app, or similar.

It
> > will have been configured to authenticate to the server as the admin
> > user, and that user's password was probably changed so the one the app
> > knowns about is obsolete. Most Novell products don't authenticate to
> > servers with a USer ID so it is unlikely to be any of those.
> > --=20
> > Andrew C Taubman
> > Novell Support Forums Volunteer SysOp
> > http://support.novell.com/forums
> > (Sorry, support is not provided via e-mail)
> >
> > Opinions expressed above are not
> > necessarily those of Novell Inc.
> >

>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to debug failed logins


In article <45D088A8.6E05.00ED.0@csd.k12.wi.us>, THafemann@csd.k12.wi.us
says...
> I have 1 server that no matter what, when I go in NoRM, I have a few dozen =
> failed login attempts per hour, sending it into the "bad health" category.
>
> It is Netware OES 6.5 sp6. It is our main file server, iPrint Broker and =
> Manager, Virtual Office, iManager 2.6, DHCP/DNS, Novell Storage Manager =
> (Files system factory sentinel) and Sophos AV.
>
> I have dozens of these errors per hour.
>
> Time: Monday, 2-12-2007 3:17 pm
> Address: IP 172.20.00.02
> User: .CN=3DAdmin.O=3DXXX.T=3DZZZZ.
>
>
> Is there some way to figure out what is trying to login or where it is =
> coming from? My assumption is that there is some service on the server =
> that is trying to authenticate to do something. I am not sure what or =
> where it is located.



If the IP Address belongs to the Server, indicating it is a process on
the Server attempting to login, drop me an E-Mail as I might have
something that will be able to help you isolate the "perpetrator."

(Don't worry, it is not a commercial product or sales pitch... Yet!)

avanti (at) avanti-tech (dot) com

Best regards,

Steve Meyer
avanti technology, inc.
(Developers of TaskMaster / TaskMaster Lite)

--
Avanti Technology, Inc.'s TaskMaster / TaskMaster Lite (TMLite)
"The All Purpose Tool" For Server-based Scripting / Task Automation!
Schedule / Script / Command Shell / Replicate & Synchronize / RConsole
--------------------------------------------------------------------
Visit http:/www.avanti-tech.com for Server automation solutions...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.