This article applies to PRTG Network Monitor 9.1.1 or later

In the PRTG web interface I can see this message:

Overload Protection is Active Click for details

What does it mean?

Overload Protection

The PRTG web server has a built-in mechanism to fight against "Denial-of-Service" and "Brute-Force-Password-Cracking" attacks called "Overload Protection". This mechanism also avoids performance impacts of incorrect configured clients.


The overload Protection cannot be disabled.

How does Overload Protection Work?

  • As soon as 50 login attempts have failed (incorrect username or password) the web server delays all consecutive login attempts by 2 seconds.
  • All consecutive login attempts with incorrect passwords will even be delayed by 120 seconds.
  • This behaviour is stopped after 10 minutes without any failed login attempts

The message "Logon attempts slowed down due to failed logon margin exceeded in a short amount of time" is added to the log, when this mode kicks in.

The message "100 logons failed since last start of PRTG" is shown 100 incorrect logins later.

Why does PRTG have this protection?

PRTG's handling of user credentials, logins and sessions is quite CPU intensive and potentially blocks many internal processes, even the monitoring itself. So attacks like brute force password cracking attacks or a DoS attacks can potentially bring down the monitoring and alerting - which is the core job of PRTG. We believe that PRTG must do anything possible to keep its monitoring engine running, so we decided that a potentially slower interface is the smaller price to pay compared to incorrect monitoring results or even missed alerts.

Where do these incorrect login attempts come from?

  • There are one or more systems in the network that repeatedly connect to the PRTG server with incorrect credentials which trigger the protection mode.
  • Usually these are systems that connect to the PRTG server through the PRTG API.
  • Quite likely these systems are forgotten, misconfigured or rogue PCs running the PRTG 7/8 Windows GUI or the PRTG Enterprise Console without proper username/password configuration.
  • Also PRTG smartphone apps (PRTG for iOS and PRTG for Android, or the discontinued apps PRTG for Windows Phone and PRTG for BlackBerry) are possible sources.
  • All processes that try to load data from your PRTG server through API calls with wrong credentials can trigger overload protection, too.
  • If you created "Libraries" with a PRTG user account that uses Active Directory credentials, overload protection can be triggered after you change the Active Directory password for this user account. A library thread running in the background will cause invalid login attempts and therefore trigger the overload protection. To avoid this, please make sure you log in once to PRTG with the new credentials after changing a user account's Active Directory password.

How can I find these rogue systems?

If you do not know which systems and/or which programs are sending these incorrect login requests, please look at the web server log files (folder "\Logs\webserver)") to find out the IP addresses of systems that connect to the web server.

Logfile entries look like this:

2011-09-28 09:30:21 127.0.0.1 "user10658-aureliol" 127.0.0.1 8085 GET /api/table.csv id=0&count=1000&noraw=1&content=sensorxref&columns=objid&filter_type=ping&login=aureliol&passhash=*** 200 "Mozilla/3.0 (compatible; Indy Library)"
2011-09-28 09:30:23 10.0.2.201 "user10994" prtg.com 443 GET /controls/sensorstats.htm - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 
2011-09-28 09:30:23 10.0.2.201 "user10994" prtg.com 443 GET /api/getstatus.htm - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 
2011-09-28 09:30:23 10.0.2.201 "user10994" prtg.com 443 GET /icons/favicon_red.png - 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2" 
2011-09-28 09:30:24 10.0.2.173 "user10649-dirkp" prtg.com 443 GET /api/table.xml content=sensortree&nosensors=1&id=0&nosession=1&new=1&last=2011-09-28-07-30-04&devices=&v=16511&login=dirkp&password=*** 200 "Mozilla/5.0 (compatible; PRTG Network Monitor GUI; Windows)" 
2011-09-28 09:30:24 10.0.9.150 "anonymous" prtg.com 443 GET / - 200 "Mozilla 4.0" 2011-09-28 09:30:24 10.0.9.150 "anonymous" prtg.com 443 GET /index.htm - 200 "Mozilla 4.0" 
2011-09-28 09:30:25 10.0.0.157 "user10649" prtg.com 443 GET /api/getstatus.htm - 200 "Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.22) Gecko/20110902 Firefox/3.6.22" 
2011-09-28 09:30:25 10.0.0.157 "user10649" prtg.com 443 GET /controls/sensorstats.htm - 200 "Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.22) Gecko/20110902 Firefox/3.6.22"

The third column shows the source IP address of the incoming request, the fourth row shows "anonymous", the PRTG user id and - if the request is a login attempt - the username used to log in ("aureliol" and "dirkp" in the sample above). The last column displays the browser agent string (e.g. Mozilla, Safari). The Enterprise Console (Windows GUI of V7/8) uses the following browser agents:

  • PRTG Network Monitor Tray Notifier
  • PRTG Network Monitor GUI

To find failed login attempts search the log file for this string:

login_failed

Failed logins show the login name and "login_failed" in the fourth column:

2011-09-28 09:30:30 10.0.2.204 "anonymous-dirk1-login_failed" prtg.com 443 GET /public/checklogin.htm loginurl=/group.htm?id=0&login=dirk1&passhash=*** 200 "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0"

All this allows you to find the IP address, user accounts and user agents of the misconfigured systems.


Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.