In the PRTG web interface I can see this message:
Overload Protection is Active Click for details
What does it mean?
In the PRTG web interface I can see this message:
Overload Protection is Active Click for details
What does it mean?
This article applies to PRTG Network Monitor 9.1.1 or later
The PRTG web server has a built-in mechanism to fight against "Denial-of-Service" and "Brute-Force-Password-Cracking" attacks. This mechanism also avoids performance impacts of incorrect configured clients.
The message "Logon attempts slowed down due to failed logon margin exceeded in a short amount of time" is added to the log, when this mode kicks in.
The message "100 logons failed since last start of PRTG" is shown 100 incorrect logins later.
PRTG's handling of user credentials, logins and sessions is quite CPU intensive and potentially blocks many internal processes, even the monitoring itself. So attacks like brute force password cracking attacks or a DoS attacks can potentially bring down the monitoring and alerting - which is the core job of PRTG. We believe that PRTG must do anything possible to keep its monitoring engine running, so we decided that a potentially slower interface is the smaller price to pay compared to incorrect monitoring results or even missed alerts.
If you do not know which systems and/or which programs are sending these incorrect login requests, please look at the web server log files (folder "\Logs\webserver)") to find out the IP addresses of systems that connect to the web server.
Logfile entries look like this:
2011-09-28 09:30:21 127.0.0.1 "user10658-aureliol" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_type=ping&login=aureliol&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)" 2011-09-28 09:30:23 10.0.2.201 "user10994" prtg.com 443 GET /controls/sensorstats.htm - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 2011-09-28 09:30:23 10.0.2.201 "user10994" prtg.com 443 GET /api/getstatus.htm - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 2011-09-28 09:30:23 10.0.2.201 "user10994" prtg.com 443 GET /icons/favicon_red.png - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 2011-09-28 09:30:24 10.0.2.173 "user10649-dirkp" prtg.com 443 GET /api/table.xml content=sensortree&nosensors=1&id=0&nosession=1&new=1&last=2011-09-28-07-30-04&devices=&v=16511&login=dirkp&password=*** 200 "Mozilla/5.0 (compatible; PRTG Network Monitor GUI; Windows)" 2011-09-28 09:30:24 10.0.9.150 "anonymous" prtg.com 443 GET / - 200 "Mozilla 4.0" 2011-09-28 09:30:24 10.0.9.150 "anonymous" prtg.com 443 GET /index.htm - 200 "Mozilla 4.0" 2011-09-28 09:30:25 10.0.0.157 "user10649" prtg.com 443 GET /api/getstatus.htm - 200 "Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:184.108.40.206) Gecko/20110902 Firefox/3.6.22" 2011-09-28 09:30:25 10.0.0.157 "user10649" prtg.com 443 GET /controls/sensorstats.htm - 200 "Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:220.127.116.11) Gecko/20110902 Firefox/3.6.22"
The third column shows the source IP address of the incoming request, the fourth row shows "anonymous", the PRTG user id and - if the request is a login attempt - the username used to log in ("aureliol" and "dirkp" in the sample above). The last column displays the browser agent string (e.g. Mozilla, Safari). The Enterprise Console (Windows GUI of V7/8) uses the following browser agents:
To find failed login attempts search the log file for this string:
Failed logins show the login name and "login_failed" in the fourth column:
2011-09-28 09:30:30 10.0.2.204 "anonymous-dirk1-login_failed" prtg.com 443 GET /public/checklogin.htm loginurl=/group.htm?id=0&login=dirk1&passhash=*** 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0"
All this allows you to find the IP address, user accounts and user agents of the misconfigured systems.
where is the "\Logs (Web Server)" folder? I searched the whole PRTG server filesystem and found nothing which has to do with it.
Mike, please see How and where does PRTG store its data?, the "Logs (Webserver)"-folder resides inside the PRTG Datafolder. You might need to adjust your Windows Explorer View-Settings to see/access this hidden folder.
Is there any way to disable Overload Protection?
Sorry, the Overload Protection cannot be disabled.
Does the "Overload Protection is Active" message only show when there is something wrong or should it be on all the time?
Overload Protection indicates that there is an issue. Default should be that the overload protection is off.
Is there a config file or anything in the web interface where one can tweak the overload protection? My organization would like to configure stricter rules for overload protection. Initiating after 50 failed login attempts may be a little to high for us.
No, there is no config file or similar. The values in the overload protection are hard coded. Sorry.
Thank you for the fast reply. Is this something that can be added to a wishlist?
I will put this on the wishlist for upcoming releases but cannot guarantee if or when this will be implemented.
I´ll add to that request, or a mechanism to do something about it. some APIs I downloaded can't work, and segmenting automated reports is not a great option either.
Hello, new PRTG user here! LOVE IT!
But after changing the default login account and disabling the "prtgadmin" account I am now receiving this error.
I have this line in my logs,
2013-05-22 12:51:14 127.0.0.1 "anonymous-nhoague-login_failed_and_delayed_120_seconds" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_type=netflowheader&filter_type=n ...
Where does this anonymous come from? I have only found one place in the server administrator to change the login account, and then I also changed the login in the enterprise console.
This looks like a library access, which is trying to log in using the name 'nohague' but fails. This most likely has to do with the login name being used more than once for a user account. Please check on the same and adjust the name entries accordingly.
Hi Paessler Team,
I noticed that every time I run a report with graphics in one particular scenario (see below), the Overload Protection warning is displayed (ajax interface). I followed the steps above regarding the logs and I found the login_failed from the pc I am accessing the prtg page.
The prtg server can be accessed via a private IP (192.168.X.X) within the enterprise LAN and from the outside via a Public IP address.
1. Accessing prtg from the local network does not display the Overload Warning message during the report run.
2. Accessing prtg from the outside (public IP) displays the Overload Warning message. The report completes but slowly.
The import bit, if this issue occurs when generating HTML reports is that the password in the URL is right or wrong. Due to a bug in the generation of the forwarding URL by the Nag Screen, the password was set erronously. This bug should have been fixed with version 14.1.9.x
How do i change the PRTG username tied to a library thread as the person who created it has left and I want to disable their account. Due to this i am constantly having overload protection issues.
It's not possible to change the user who created a Library. I'm afraid in the moment, it will be necessary to remove and re-create the Library. Sorry.
my log have a lot of error.Could you help please.
2014-07-04 10:57:18 127.0.0.1 "user100-prtgadmin" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_tags=@tag(esx)&filter_tags=@tag(esxserverhosthealthsensor)&filter_tags=@tag(esxserverhostsensor)&filter_tags=@tag(esxserversensor)&filter_tags=@tag(esxservervmsensor)&filter_tags=@tag(esxshealthsensor)&filter_tags=@tag(esxvmsensor)&login=prtgadmin&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)" 2014-07-04 10:57:24 127.0.0.1 "user100-prtgadmin" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_priority=5&login=prtgadmin&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)" 2014-07-04 10:57:29 127.0.0.1 "user100-prtgadmin" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_priority=4&login=prtgadmin&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"
These requests are from Libraries. Libraries are saved under the User Account who created the Library. The library then "logs in" with the same user account to refresh filters. So if a user is removed, who created a Library, the Library then causes these fails. It would be necessary to remove the Libraries as well.
im having this problem and looking at the log i see this:
2014-07-30 13:55:08 127.0.0.1 "anonymous-cerivera-login_failed_and_delayed_120_seconds" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_basetype=sensor&filter_type=jflowheader&filter_type=jflowcustom&login=cerivera&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"
As Torsten said above, this is a call that is used by PRTG for a library. Please try and delete this library and the error should go away. It looks like this is used for a jFlow library so check to see if there are any of those in your PRTG installation.
Is possible that this error occurs with a wrong username or password for a SENSOR?
Being locked out of PRTG because of overload protection should only happen when accessing PRTG itself. If a sensor has the wrong credentials and is using those to scan a device, the device itself could also have similar protection but you would have to check on the device if this is the case.
I just had the same issue. After checking the Logs i have seen, that is was my IOS-App trying to loging again . i changed my windows Passwort and so the stored credential was no longer valid. And the IOS App did not (14.4.9) did not ask for th new Passwort. It did a retry again and again.
So, check your app. In dem Zuge. Es wäre ein netter Zug, wenn man die App ähnlich die diverse HomeBanking Apps zusätzlich mit einer PIN oder dem Kennwort gegen Starten sichern könnte. Gerade Tablets sind auch mal "Familiengeräte" und Apple hat ja keine Multiuserfähigkeit. Da wäre es schon hilfreich, wenn Tochter oder Sohn nicht das "schicke" Icon einfach so starten könnten und dann die Server in Papas Firma verändert
Hi, I am seeing the following. Any ideas what's causing it?
login=admin&passhash=* 200 "Mozilla/3.0 (compatible; Indy Library)" 2015-05-11 15:20:50 10.9.62.9 "anonymous-prtgadmin-login_failed_and_delayed_120_seconds" 10.9.62.9 8080 POST /api/getstatus.htm login=prtgadmin&password=*&id=0 200 "Mozilla/5.0 (compatible; PRTG Network Monitor Enterprise Console; Windows)"
This might be an Enterprise Console configured with wrong credentials from a host with the IP 10.9.62.9. Can you check that out? :)
We have similar situation where local prtgadmin is creating login requests from the server itself. The only Libraries are those that shipped with the installation. Is the advice here http://kb.paessler.com/en/topic/25523-what-is-overload-protection#reply-194984 really saying we have to delete the default prtgadmin account or delete the libraries that shipped with the installation (and have to re-create them somehow from memory or after spending time documenting them) This does not seem right. Our installation has only been running since yesterday.
Is there a enterprise console running on the PRTG Server? It could also be a crashed EC. Can you make sure that there's no process called PRTG Enterprise Console running?
OK - thanks - found enterprise console was running on server from initial testing - now shutdown on server - how long before the overload warnings might be expected to go - so if not we can investigate further? thanks
10 minutes without failed logins and the warning will disappear.
I have this warning jumping all the time . how can i stop this ?
It's probably a Enterprise Console installed on either the PRTG server or anywhere in your network that still has the old credentials configured. In order to check this, please send your PRTG Core Server.log files (resides under C:\ProgramData\Paessler\PRTG Network Monitor\Logs (System)) to email@example.com - please reference this thread so we know it's you :)
we had this today , the failed logins have been identified and stopped, .
Overload protection is not alerting as "on" but we are still locked out.
We can access PRTG withe admin account - our AD accounts are locked out -
Does Overload protection display all the time it's on ?
thank you for your inquiry.
The overload protection is is automatically disabled after 10 minutes without any failed login attempts. Please check on your Active Directory whenever the actual user accounts are locked out or log-in to PRTG with the built-in admin account and issue a Clear Caches from within Setup > Administrative Tools.
Luciano Lingnau [Paessler Support]
Hi If we know the account that is being Brute Forced (due to change of Active Directory password) is it possible to sleep that account so that the Overload Protection is not activated for that account?
e.g. i've disabled the account hoping that the Overload Protection would stop... but it didnt..
I'm afraid this does not change anything. A failed login attempt is a failed login attempt in the end, no matter whether the user exists in PRTG's userbase or not. The only way around is stopping these failed logins by either updating credentials on the machine that causes those failing logins or disabling Enterprise Console for example on this machine in case Enterprise Console is responsible for these logins, which is also shown in the webserver log as also described above.
I would like to use a corresponding sensor in PRTG for Overload Protection (on a probe). Or is it already built in?
Overload Protection is a system function that prevents the PRTG server from becoming unstable and un-responsive. I'm not sure what you mean by, "I would like to use a corresponding sensor in PRTG for Overload Protection."
Can you elaborate?
How can i identify which sensor the following login failure is originating from?
127.0.0.1 "anonymous-prtgadmin-login_failed_and_delayed_120_seconds" 127.0.0.1 80 GET /api/table.xml username=prtgadmin&passhash=*&content=sensors&columns=objid,parentid,name,probe,group,device,status,priority,type,type_raw,message,tags&id=14003 200 "-"
The logon is anonymous, and it originated from the PRTG Core Server. But, the only Sensors that can do anything like this would be HTTP REST API sensors. As those are the only ones who can make an API call.
Also, you might check you Notification Templates, as you can make an API call from there as well.