OK- I assume I'll need a third party program for this, but, here goes. I have a terminal server running '03, that has a public IP (I hope to change the way we have this setup). Every hour or so we get attacked by some random IP addresses from Europe or Asia. I see in my logs the audit failure along with an originating IP. This happens every few seconds for hours, or until I block the IP in my firewall.
So, since it looks like a bot net that's making the attack, is there any easy way to flag security audit failures to send me a warning, so that I can block the IP quickly?
Or, does anyone have any other suggestions on fixing this?