Failed Login on Servers

Unanswered Question
Nov 3rd, 2011

I continue to receive Event ID 529 (Failure Audit) in the Security Log of my servers with a reason "Unknown user name or bad password" with the OnPlus device as the source despite the fact that I have unchecked the "Allow Login Access" for Login, Enable, SNMP v2 & v3, and WMI on all of the servers.  Is there a way I can stop the OnPlus device from trying to access my servers?  I don't want it to monitor anything except my network devices.  As well, is there a way to tell it to not monitor a device...ever...even when it's still accessible from the OnPlus device?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
mshikha Thu, 11/03/2011 - 22:34

Hi,

I do not have a quick answer for you but our Engineering team will get back to you shortly on this. Do you want to disable the monitoring only or do you also want to disable the discovery of these particular servers altogether? 

Thanks,

Shikha

SHAWN EFTINK Fri, 11/04/2011 - 01:36

Ideally both options would be desired. I would like to have the option of not discovering X devices or X IPs. I would also need the option to tell OnPlus to not monitor a specific discovered device.

Shawn Eftink

Sent from my iPhone through Exchange

Michael Holloway Fri, 11/04/2011 - 08:12

Hi Shawn,

These security event entries may possibly be caused by the ON100 either querying the master browser for SMB on the network, or the result of NetBIOS nameserver scanning performed by the ON100. Your logs might indicate that this is SMB traffic on TCP port 445 (direct), or SMB traffic via NetBIOS on TCP ports 137 or 139 or UDP ports 137 or 138. I don't believe any actual 'login' is being attempted, but Windows may be generically reporting the 'failed login' event because an unknown credential 'root' was being offered as part of the SMB protocol. Other users have also reported similar security log entries due to these two ON100 network discovery methods.

Currently, OnPlus doesn't provide a way to disable specific discovery protocols, nor can alternate credentials be supplied for use by SMB/NetBIOS. Both of these features added to OnPlus would probably help remove these minor events from filling your logs, in addition to the suggestions you also provided.

In the meanwhile, and I'm not making a recommendation here, just passing along information that I've seen being given by various sources including MSDN folks and others in industry; you can disable windows 'Failure Audits' from consuming Windows resources. This would have the impact of losing some visibilty (at least in the Windows Security Event Log) of any actual login-failure attacks occuring against the host, but endpoint firewall/security software may already cover logging of relevant network login-failure attacks/events.

-mike

SHAWN EFTINK Fri, 11/04/2011 - 09:39

As an interim workaround, until this is resolved, I have modified the event monitor set in my other RMM tool to ignore security events 529 and 680 that contain ON100 in the description. I don’t want to turn off the events on the servers as that would be a gaping security hole, but I also don’t want to continue getting the 100’s of alerts each day. I think it’s great that OnPlus tries to constantly discover the network, but there should be a way to tell it not to monitor a device it found or to only monitor availability (ping). As well, it would be nice to have the option of telling each OnPlus device what it should auto discover (i.e. by Ping, CDP, SNMP, etc.) or turn off auto discover completely and manually discover devices only. For example I might want to manually add a Core switch at a client site and only auto discover via CDP going forward. Thank you for submitting the feature requests.

One other feature request relates to integration with PSA applications. We utilize ConnectWise, which I know OnPlus integrates with the ticketing, but it would also be nice if OnPlus pushed device details into the Configurations section of ConnectWise. That functionality does exist in ConnectWise’s API as other RMM solutions do leverage it. This allows me to not only auto populate Configuration in my PSA but also allows me to track service history by device as well as a number of other advantages.

Attachment: 
mshikha Fri, 11/04/2011 - 09:52

Hi Shawn,

We have noted your requirements and thanks for being patient with us!

We are planning on tighter integration with PSA tools like Connectwise and we will look into sharing the device information with Connecitwise as well. Would it be right to say that you would use the PSA to track service history for devices and OnPlus for device maintenance etc?

Thanks,

Shikha

SHAWN EFTINK Fri, 11/04/2011 - 10:58

That would be an accurate statement. However, it would be helpful to have the support contract details for a given device ported to the PSA tool as well. We wouldn’t give sales and marketing, for example, access to the OnPlus portal so they would need to be able to view the information in the PSA tool. But all Cisco device monitoring, management, and maintenance would hopefully be completed through the OnPlus portal.

Attachment: 
SHAWN EFTINK Wed, 03/07/2012 - 10:47

No there hasn't.  I just checked one of my servers to confirm and this is still happening.

Michael Holloway Wed, 03/07/2012 - 13:53

Bet that we'll see this one get out of the backlog and into a sprint soon. The global rollout stuff has us pretty tied up for the next 2-3 weeks, then we should start seeing some sprints devoted to quality and small feature fixes/polishing.

-mike

SHAWN EFTINK Mon, 06/04/2012 - 14:40

Any projected ETA on the ability to exclude monitoring of specific devices?

Sent from Cisco Technical Support iPhone App

aqkazi Mon, 06/04/2012 - 14:52

Did you see my post from the other thread, I'll paste it here:

We have a small change coming in the next release which will discover devices using 'anonymous' rather than 'root'. In a couple of releases, we'll allow for disabling the discovery and entering credentials for SMB/NetBios devices. Of course these features aren't out of QA yet, so this is all preliminary information.

Thanks,

The OnPlus Team

SHAWN EFTINK Mon, 06/04/2012 - 14:54

I didn't. Thank you. Any ETA on that next release?

Sent from Cisco Technical Support iPhone App

mrn Mon, 06/04/2012 - 19:26

I don't get copied on the production rollout schedules. The code is done, the documentation is out for review, so I am sure it will be hitting the beta sites in less than 10 days.

- Mark

Actions

Login or Register to take actions

This Discussion

Posted November 3, 2011 at 2:54 PM
Stats:
Replies:13 Avg. Rating:
Views:1366 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard