Avatar of PatAmmirati
 asked on

Multiple EventID 4625 Messages

I have 2 Windows web servers (2003 & 2008). They both experience thousands of EventId 4625 on the security log.
They are all against non-existent usernames.
Is there any way to lock them out after a few attempts, as opposed to have them fill up the event log?
They mostly come from IP addresses out of the US.
Microsoft Legacy OSWindows Server 2008Microsoft Server OS

Avatar of undefined
Last Comment
Tony Giangreco

8/22/2022 - Mon
Tony Giangreco

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Since the user names are invalid, would I still be able to lock them out with a security policy?
Tony Giangreco

Probably not, but you can lock the IP span's out if you track them back to their ISP's with smartsniff.
David Kroll

I recently began blocking ip addresses in the firewall. I was seeing hundreds of those errors and most of them were outside the US.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Tony Giangreco

It;'s much more efficent to block by ISP and/or country than by IP. Hackers normally attach from multiple points.

Can IP ranges be blocked within the Server Software, or is additional hardware needed?
Tony Giangreco

The Syspeace app can block out ranges, but that means those hits are still getting to your server. I'd block them out on the firewall so your server doesn't get all that static.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Tony Giangreco

Have you made any progress?

No progress - I have a few ideas, but it seems like a hardware solution is going to be the answer.
I would have liked to know which of the server IP's they were hitting, but I am going to close this problem.
Seth Simmons

I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Tony Giangreco

I object to this question being closed without points being awarded. As I mentioned above, I had the exact same problem on a 2003 terminal server. I worked on that problem for months and found a solution consisting of a SonicWall TZ210W firewall and the installation of an app named SysPeace on the terminal server.  That was then end of consistent hacking attempts on my server.  When I replaced that server with a 2008 server, I installed the same application and kept the same firewall. That combination of proactive steps kept the hackers off my server's doorsteps and out of my network.

Because I developed this combination of proactive steps and the suggested the same solution in this question, I suggest awarding points based on a solid solution I suggested.