We are running a Windows 2003 server fully patched and running Windows Firewall.
When we check the Windows Event Viewer on the System tab it shows repeated items as follows - these occur approximately every 8 seconds. Occasionally there will be a break for 10 to 15 minutes and then the attacks start again. The message in Windows Event Viewer is as follows:
Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
The Event ID is: 1012
And the Source for each is listed as: TermService
Using a Network monitoring tool, we can see that the packets are coming in on Port 3389 (the standard Remote Desktop / Terminal Services port) So, we have changed RDP to run on Port 3390. We have added an Exception to the Windows Firewall to allow traffic on Port 3390. We have then unticked the Exception in the Windows Firewall for the standard RDP Port 3389. We thought that this would then stop the attacks from being written to the Windows Event Viewer log.
However, doing this has had no effect - the Windows Event Viewer still shows every 6 to 10 seconds the message "Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated."
How can we stop these attacks from happening?
500 points for a working solution.