New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


What is Overload Protection?

Votes:

0

Your Vote:

Up

Down

In the PRTG web interface I can see this message:

Overload Protection is Active Click for details

What does it mean?

failed-logins overload protection prtg9

Created on Sep 28, 2011 3:05:44 PM by  Dirk Paessler [Founder Paessler AG] (10,858) 3 4

Last change on Sep 28, 2011 3:22:47 PM by  Daniel Zobel [Paessler Support]



41 Replies

Accepted Answer

Votes:

1

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 9.1.1 or later

Overload Protection

The PRTG web server has a built-in mechanism to fight against "Denial-of-Service" and "Brute-Force-Password-Cracking" attacks. This mechanism also avoids performance impacts of incorrect configured clients.

How does Overload Protection Work?

  • As soon as 50 login attempts have failed (incorrect username or password) the web server delays all consecutive login attempts by 2 seconds.
  • All consecutive login attempts with incorrect passwords will even be delayed by 120 seconds.
  • This behaviour is stopped after 10 minutes without any failed login attempts

The message "Logon attempts slowed down due to failed logon margin exceeded in a short amount of time" is added to the log, when this mode kicks in.

The message "100 logons failed since last start of PRTG" is shown 100 incorrect logins later.

Why does PRTG have this protection?

PRTG's handling of user credentials, logins and sessions is quite CPU intensive and potentially blocks many internal processes, even the monitoring itself. So attacks like brute force password cracking attacks or a DoS attacks can potentially bring down the monitoring and alerting - which is the core job of PRTG. We believe that PRTG must do anything possible to keep its monitoring engine running, so we decided that a potentially slower interface is the smaller price to pay compared to incorrect monitoring results or even missed alerts.

Where do these incorrect login attempts come from?

  • There are one or more systems in the network that repeatedly connect to the PRTG server with incorrect credentials which trigger the protection mode.
  • Usually these are systems that connect to the PRTG server through the PRTG API.
  • Quite likely these systems are forgotten, misconfigured or rogue PCs running the PRTG 7/8 Windows GUI or the PRTG Enterprise Console without proper username/password configuration.
  • Also PRTG smartphone apps (PRTG for iOS and PRTG for Android, or the discontinued apps PRTG for Windows Phone and PRTG for BlackBerry) are possible sources.
  • All processes that try to load data from your PRTG server through API calls with wrong credentials can trigger overload protection, too.
  • If you created "Libraries" with a PRTG user account that uses Active Directory credentials, overload protection can be triggered after you change the Active Directory password for this user account. A library thread running in the background will cause invalid login attempts and therefore trigger the overload protection. To avoid this, please make sure you log in once to PRTG with the new credentials after changing a user account's Active Directory password.

How can I find these rogue systems?

If you do not know which systems and/or which programs are sending these incorrect login requests, please look at the web server log files (folder "\Logs\webserver)") to find out the IP addresses of systems that connect to the web server.

Logfile entries look like this:

2011-09-28 09:30:21 127.0.0.1 "user10658-aureliol" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_type=ping&login=aureliol&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"
2011-09-28 09:30:23 10.0.2.201 "user10994" prtg.com 443 GET /controls/sensorstats.htm - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
2011-09-28 09:30:23 10.0.2.201 "user10994" prtg.com 443 GET /api/getstatus.htm - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
2011-09-28 09:30:23 10.0.2.201 "user10994" prtg.com 443 GET /icons/favicon_red.png - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2"
2011-09-28 09:30:24 10.0.2.173 "user10649-dirkp" prtg.com 443 GET /api/table.xml content=sensortree&nosensors=1&id=0&nosession=1&new=1&last=2011-09-28-07-30-04&devices=&v=16511&login=dirkp&password=*** 200 "Mozilla/5.0 (compatible; PRTG Network Monitor GUI; Windows)"
2011-09-28 09:30:24 10.0.9.150 "anonymous" prtg.com 443 GET / - 200 "Mozilla 4.0"
2011-09-28 09:30:24 10.0.9.150 "anonymous" prtg.com 443 GET /index.htm - 200 "Mozilla 4.0"
2011-09-28 09:30:25 10.0.0.157 "user10649" prtg.com 443 GET /api/getstatus.htm - 200 "Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.22) Gecko/20110902 Firefox/3.6.22"
2011-09-28 09:30:25 10.0.0.157 "user10649" prtg.com 443 GET /controls/sensorstats.htm - 200 "Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.22) Gecko/20110902 Firefox/3.6.22"

The third column shows the source IP address of the incoming request, the fourth row shows "anonymous", the PRTG user id and - if the request is a login attempt - the username used to log in ("aureliol" and "dirkp" in the sample above). The last column displays the browser agent string (e.g. Mozilla, Safari). The Enterprise Console (Windows GUI of V7/8) uses the following browser agents:

  • PRTG Network Monitor Tray Notifier
  • PRTG Network Monitor GUI

To find failed login attempts search the log file for this string:

login_failed

Failed logins show the login name and "login_failed" in the fourth column:

2011-09-28 09:30:30 10.0.2.204 "anonymous-dirk1-login_failed" prtg.com 443 GET /public/checklogin.htm loginurl=/group.htm?id=0&login=dirk1&passhash=*** 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0"

All this allows you to find the IP address, user accounts and user agents of the misconfigured systems.

Created on Sep 28, 2011 3:11:04 PM by  Dirk Paessler [Founder Paessler AG] (10,858) 3 4

Last change on Apr 16, 2019 3:34:10 PM by  Birk Guttmann [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hello,

where is the "\Logs (Web Server)" folder? I searched the whole PRTG server filesystem and found nothing which has to do with it.

Created on Sep 30, 2011 3:07:29 PM by  Mike Holland (0) 1



Votes:

0

Your Vote:

Up

Down

Mike, please see How and where does PRTG store its data?, the "Logs (Webserver)"-folder resides inside the PRTG Datafolder. You might need to adjust your Windows Explorer View-Settings to see/access this hidden folder.

Created on Sep 30, 2011 4:27:00 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Is there any way to disable Overload Protection?

Created on Aug 15, 2012 3:57:09 PM by  Tony Kan (0)



Votes:

0

Your Vote:

Up

Down

Sorry, the Overload Protection cannot be disabled.

Created on Aug 15, 2012 3:59:28 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Does the "Overload Protection is Active" message only show when there is something wrong or should it be on all the time?

Created on Jan 15, 2013 7:46:58 PM by  Josiah Ritchie (110) 1 1



Votes:

0

Your Vote:

Up

Down

Overload Protection indicates that there is an issue. Default should be that the overload protection is off.

Created on Jan 16, 2013 6:09:08 AM by  Aurelio Lombardi [Paessler Support]

Last change on Jan 16, 2013 7:48:11 AM by  Aurelio Lombardi [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Is there a config file or anything in the web interface where one can tweak the overload protection? My organization would like to configure stricter rules for overload protection. Initiating after 50 failed login attempts may be a little to high for us.

Created on Feb 19, 2013 2:48:38 PM by  mbrennan (0) 2



Votes:

0

Your Vote:

Up

Down

No, there is no config file or similar. The values in the overload protection are hard coded. Sorry.

Created on Feb 19, 2013 2:50:08 PM by  Konstantin Wolff [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Thank you for the fast reply. Is this something that can be added to a wishlist?

Created on Feb 19, 2013 2:54:31 PM by  mbrennan (0) 2



Votes:

0

Your Vote:

Up

Down

I will put this on the wishlist for upcoming releases but cannot guarantee if or when this will be implemented.

Created on Feb 19, 2013 2:56:17 PM by  Konstantin Wolff [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I´ll add to that request, or a mechanism to do something about it. some APIs I downloaded can't work, and segmenting automated reports is not a great option either.

Created on Apr 18, 2013 8:07:05 PM by  Quala S.A. Quala S.A. (0) 1



Votes:

0

Your Vote:

Up

Down

Hello, new PRTG user here! LOVE IT!

But after changing the default login account and disabling the "prtgadmin" account I am now receiving this error.

I have this line in my logs,

2013-05-22 12:51:14 127.0.0.1 "anonymous-nhoague-login_failed_and_delayed_120_seconds" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_type=netflowheader&filter_type=n ...

Where does this anonymous come from? I have only found one place in the server administrator to change the login account, and then I also changed the login in the enterprise console.

Thanks!

Created on May 22, 2013 7:12:50 PM by  Nicholas Hoague (0) 1



Votes:

0

Your Vote:

Up

Down

This looks like a library access, which is trying to log in using the name 'nohague' but fails. This most likely has to do with the login name being used more than once for a user account. Please check on the same and adjust the name entries accordingly.

Created on May 24, 2013 12:52:44 PM by  Patrick Hutter [Paessler Support] (7,164) 3 3



Votes:

0

Your Vote:

Up

Down

Hi Paessler Team,

I noticed that every time I run a report with graphics in one particular scenario (see below), the Overload Protection warning is displayed (ajax interface). I followed the steps above regarding the logs and I found the login_failed from the pc I am accessing the prtg page.

The prtg server can be accessed via a private IP (192.168.X.X) within the enterprise LAN and from the outside via a Public IP address.

1. Accessing prtg from the local network does not display the Overload Warning message during the report run.

2. Accessing prtg from the outside (public IP) displays the Overload Warning message. The report completes but slowly.

Thank you.

Created on Apr 8, 2014 10:17:42 PM by  jf_hernandez (0) 1



Votes:

0

Your Vote:

Up

Down

The import bit, if this issue occurs when generating HTML reports is that the password in the URL is right or wrong. Due to a bug in the generation of the forwarding URL by the Nag Screen, the password was set erronously. This bug should have been fixed with version 14.1.9.x

Created on Apr 15, 2014 12:43:21 PM by  Patrick Hutter [Paessler Support] (7,164) 3 3



Votes:

0

Your Vote:

Up

Down

Hi Guys,

How do i change the PRTG username tied to a library thread as the person who created it has left and I want to disable their account. Due to this i am constantly having overload protection issues.

Created on May 19, 2014 7:05:23 AM by  lingario (0) 1



Votes:

0

Your Vote:

Up

Down

It's not possible to change the user who created a Library. I'm afraid in the moment, it will be necessary to remove and re-create the Library. Sorry.

Created on May 19, 2014 10:49:01 AM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

my log have a lot of error.Could you help please.

2014-07-04 10:57:18 127.0.0.1 "user100-prtgadmin" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_tags=@tag(esx)&filter_tags=@tag(esxserverhosthealthsensor)&filter_tags=@tag(esxserverhostsensor)&filter_tags=@tag(esxserversensor)&filter_tags=@tag(esxservervmsensor)&filter_tags=@tag(esxshealthsensor)&filter_tags=@tag(esxvmsensor)&login=prtgadmin&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"


2014-07-04 10:57:24 127.0.0.1 "user100-prtgadmin" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_priority=5&login=prtgadmin&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"


2014-07-04 10:57:29 127.0.0.1 "user100-prtgadmin" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_priority=4&login=prtgadmin&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"

Created on Jul 4, 2014 3:09:51 AM by  ckc0206 (0)

Last change on Jul 4, 2014 12:34:01 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

These requests are from Libraries. Libraries are saved under the User Account who created the Library. The library then "logs in" with the same user account to refresh filters. So if a user is removed, who created a Library, the Library then causes these fails. It would be necessary to remove the Libraries as well.

Created on Jul 4, 2014 12:34:15 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

im having this problem and looking at the log i see this:

2014-07-30 13:55:08 127.0.0.1 "anonymous-cerivera-login_failed_and_delayed_120_seconds" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_type=jflowheader&filter_type=jflowcustom&login=cerivera&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"

Created on Jul 30, 2014 6:06:54 PM by  erecpr (0)

Last change on Aug 1, 2014 11:46:38 AM by  Greg Campion [Paessler Support]



Votes:

0

Your Vote:

Up

Down

As Torsten said above, this is a call that is used by PRTG for a library. Please try and delete this library and the error should go away. It looks like this is used for a jFlow library so check to see if there are any of those in your PRTG installation.

Created on Aug 1, 2014 11:46:20 AM by  Greg Campion [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Is possible that this error occurs with a wrong username or password for a SENSOR?

Created on Jan 6, 2015 1:38:40 PM by  rapolinario (0)



Votes:

0

Your Vote:

Up

Down

Being locked out of PRTG because of overload protection should only happen when accessing PRTG itself. If a sensor has the wrong credentials and is using those to scan a device, the device itself could also have similar protection but you would have to check on the device if this is the case.

Created on Jan 7, 2015 8:30:09 AM by  Greg Campion [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I just had the same issue. After checking the Logs i have seen, that is was my IOS-App trying to loging again . i changed my windows Passwort and so the stored credential was no longer valid. And the IOS App did not (14.4.9) did not ask for th new Passwort. It did a retry again and again.

So, check your app. In dem Zuge. Es wäre ein netter Zug, wenn man die App ähnlich die diverse HomeBanking Apps zusätzlich mit einer PIN oder dem Kennwort gegen Starten sichern könnte. Gerade Tablets sind auch mal "Familiengeräte" und Apple hat ja keine Multiuserfähigkeit. Da wäre es schon hilfreich, wenn Tochter oder Sohn nicht das "schicke" Icon einfach so starten könnten und dann die Server in Papas Firma verändert

Frank

Created on Feb 1, 2015 8:47:31 PM by  Frank Carius (270) 1 1



Votes:

0

Your Vote:

Up

Down

Hi, I am seeing the following. Any ideas what's causing it?

login=admin&passhash=* 200 "Mozilla/3.0 (compatible; Indy Library)" 2015-05-11 15:20:50 10.9.62.9 "anonymous-prtgadmin-login_failed_and_delayed_120_seconds" 10.9.62.9 8080 POST /api/getstatus.htm login=prtgadmin&password=*&id=0 200 "Mozilla/5.0 (compatible; PRTG Network Monitor Enterprise Console; Windows)"

Created on May 11, 2015 2:30:05 PM by  danovery (0) 1



Votes:

0

Your Vote:

Up

Down

This might be an Enterprise Console configured with wrong credentials from a host with the IP 10.9.62.9. Can you check that out? :)

Created on May 12, 2015 8:20:54 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

We have similar situation where local prtgadmin is creating login requests from the server itself. The only Libraries are those that shipped with the installation. Is the advice here http://kb.paessler.com/en/topic/25523-what-is-overload-protection#reply-194984 really saying we have to delete the default prtgadmin account or delete the libraries that shipped with the installation (and have to re-create them somehow from memory or after spending time documenting them) This does not seem right. Our installation has only been running since yesterday.

Created on Jun 15, 2015 7:43:43 AM by  bede (0)



Votes:

0

Your Vote:

Up

Down

Is there a enterprise console running on the PRTG Server? It could also be a crashed EC. Can you make sure that there's no process called PRTG Enterprise Console running?

Created on Jun 15, 2015 8:05:36 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

OK - thanks - found enterprise console was running on server from initial testing - now shutdown on server - how long before the overload warnings might be expected to go - so if not we can investigate further? thanks

Created on Jun 15, 2015 10:47:19 AM by  bede (0)



Votes:

0

Your Vote:

Up

Down

10 minutes without failed logins and the warning will disappear.

Created on Jun 15, 2015 11:37:21 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I have this warning jumping all the time . how can i stop this ?

Created on Jul 5, 2015 1:20:10 PM by  sapir (0) 1



Votes:

0

Your Vote:

Up

Down

It's probably a Enterprise Console installed on either the PRTG server or anywhere in your network that still has the old credentials configured. In order to check this, please send your PRTG Core Server.log files (resides under C:\ProgramData\Paessler\PRTG Network Monitor\Logs (System)) to support@paessler.com - please reference this thread so we know it's you :)

Created on Jul 6, 2015 5:53:34 AM by  Stephan Linke [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi-

we had this today , the failed logins have been identified and stopped, .

Overload protection is not alerting as "on" but we are still locked out.

We can access PRTG withe admin account - our AD accounts are locked out -

Does Overload protection display all the time it's on ?

Created on Sep 21, 2016 3:24:46 PM by  jcarpenter (0)



Votes:

0

Your Vote:

Up

Down

Hello,
thank you for your inquiry.

The overload protection is is automatically disabled after 10 minutes without any failed login attempts. Please check on your Active Directory whenever the actual user accounts are locked out or log-in to PRTG with the built-in admin account and issue a Clear Caches from within Setup > Administrative Tools.


Best Regards,
Luciano Lingnau [Paessler Support]

Created on Sep 22, 2016 4:16:17 PM by  Luciano Lingnau [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi If we know the account that is being Brute Forced (due to change of Active Directory password) is it possible to sleep that account so that the Overload Protection is not activated for that account?

e.g. i've disabled the account hoping that the Overload Protection would stop... but it didnt..

Created on Dec 13, 2016 12:33:32 PM by  trunq (10) 1



Votes:

0

Your Vote:

Up

Down

Hi trung,

I'm afraid this does not change anything. A failed login attempt is a failed login attempt in the end, no matter whether the user exists in PRTG's userbase or not. The only way around is stopping these failed logins by either updating credentials on the machine that causes those failing logins or disabling Enterprise Console for example on this machine in case Enterprise Console is responsible for these logins, which is also shown in the webserver log as also described above.

Kind regards,

Erhard

Created on Dec 14, 2016 8:07:19 AM by  Erhard Mikulik [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I would like to use a corresponding sensor in PRTG for Overload Protection (on a probe). Or is it already built in?

Created on Oct 25, 2018 8:22:27 PM by  ITSE (10)



Votes:

0

Your Vote:

Up

Down

ITSE,

Overload Protection is a system function that prevents the PRTG server from becoming unstable and un-responsive. I'm not sure what you mean by, "I would like to use a corresponding sensor in PRTG for Overload Protection."

Can you elaborate?

Benjamin Day
Paessler Support

Created on Oct 25, 2018 11:16:58 PM by  Benjamin Day [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi

How can i identify which sensor the following login failure is originating from?

127.0.0.1 "anonymous-prtgadmin-login_failed_and_delayed_120_seconds" 127.0.0.1 80 GET /api/table.xml username=prtgadmin&passhash=*&content=sensors&columns=objid,parentid,name,probe,group,device,status,priority,type,type_raw,message,tags&id=14003 200 "-"

Regards

Created on Mar 28, 2019 11:26:17 AM by  jennis71 (0)



Votes:

0

Your Vote:

Up

Down

Jennis,

The logon is anonymous, and it originated from the PRTG Core Server. But, the only Sensors that can do anything like this would be HTTP REST API sensors. As those are the only ones who can make an API call.

Also, you might check you Notification Templates, as you can make an API call from there as well.

Benjamin Day
Paessler Support

Created on Mar 28, 2019 8:11:10 PM by  Benjamin Day [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.