Description: The administrator's user name or password is incorrect. Type a valid user name or password.

I don’t see it listing the account name.  When I implemented Symantec Endpoint Protection years ago, I changed the username of the built-in administrator.  This doesn’t address my problem.

I need a way to figure out where these attempted logon attempts are coming from.  If SEPM 12 used IIS instead of Apache then I could easily figure this out with the IIS log files.

Then can Apache be configured to log this information like IIS can?

If you are the only resource for SEPM then deny access to all.

Granting or blocking access to remote Symantec Endpoint Protection Manager consoles

Rafeeq, that sounds like a good idea.  However the link doesn't work and give the followign error:

Gateway Timeout

The proxy server did not receive a timely response from the upstream server.

Reference #1.7c9f33b8.1362790066.11302e59

Hi Scott,

Don't forget the firewall component of the SEP client on that server, as well.  It should be possible to create and apply a firewall policy that logs the details of connections to that server from remote addresses.  Examine that log for unexpected source IP's.

It would not be a bad idea to take a close look at security on that server- are there any services running that really do not ned to be?  Terminal Services, for example, if no one routinely uses RDP to access that machine.  Make sure it is patched, does not have any unexpected ports open, and that admin accounts with access to that machine are given a new, strong password.  Run a full system scan, as well.

Hope this helps!

Mick   

Brian81 and Rafeeq, thanks those links worked.  I have gone ahead \and restricted which IP address can logon, which helps me feel a little about security, but would still like to know the IP addresses.

I tested from a computer with an IP address not configured to access (via HOWTO81140).  I could install the Java SEP manger via http://<server>:9090/symantec.html, which I was surprised wasn’t blocked.  I did receive an error when trying to log on from that computer (something regarding that IP address wasn’t allowed).  I got an email notification like before, which doesn’t include the IP address of the computer (see attachment).  As far as I am concerned this functionality should be built in to SEPM and you shouldn’t be forced to create fancy firewall component of the SEP client on each SEPM.

Mick2009, your suggestion would also capture the IP address of ligament traffic between the SEP clients and our SEPM and would be a nightmare to look through.  I have these SEPMs locked done pretty tightly through Windows, including via AD, Group Policy, run full virus scans nightly, non-default usernames, very strong passwords (> 15 characters), and other measures.  I simply want SEPM to log and include the IP address of clients with invalid logon attempts.   Other products I deal with have included this functionality for years and I am shocked me that Symantec hasn’t included this yet.