Battle of the Week - Failed Login Attempts
Infrastructure of a rural county that has the public works offices such as police department, library, and fire department which are all interconnected.
A brute force from a malicious IP should be stopped by the firewall and accounts should lockout after a set limit of failed attempts.
The customer had a multitude of login attempts causing brute force alarms to show in our system. The attempts were all from the same internal IP and were all failing on a Microsoft Exchange Server.
The cause of the large amount of the failed logons was due to a misconfiguration from the following two things:
Cisco Jabber settings were not set correctly to access the calendar or voicemails
Outlook cache setting
A large number of failed logons may not always be malicious and could be a result of a misconfiguration on the network. Always set up login limits on accounts to prevent bandwidth from being wasted and to help prevent brute force attacks.