Failed logging attempts killing bandwidth

[pseconds]

I'm getting 100's of failed login attempts in my logs - I do have the Administrator account disabled, but in a 1 minute period, I had over 500 of these. How do I block/stop them? I do need FTP for clients, so blocking that port might not work. This is on a windows 2003, sp2/plesk 8.2 box.

Any ideas?

Event Type: Warning
Event Source: MSFTPSVC
Event Category: None
Event ID: 100
Date: 11/29/2007
Time: 7:08:19 AM
User: N/A
Computer: E555123-12345
Description:
The server was unable to logon the Windows NT account 'administrator' due to the following error: Logon failure: unknown user name or bad password. The data is the error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 00 00 ....

 

[techdesign]

I've had the same problem. Another issue that occurs because of this is that the statistics.exe program will run and together with lsass.exe chew up almost 100% of the CPU trying to correlate those invalid logins for the tracking database.

So far, I haven't found a good solution. I am working with the script that has been posted here:

http://blog.netnerds.net/2006/07/ban-administrator-ftp-login-attempts/

I've made some minor tweaks and it works pretty well, but still not bulletproof.

 

[JackL]

Another solution is to use IPsec with shared key for ftp.

John S.G.