We help IT Professionals succeed at work.

I have 200+ failed logon's per day, no source or username documented

SoleCreation
SoleCreation asked
on
228 Views
Last Modified: 2017-04-03
I have numerous (200+) Event Errors

Event ID 4625, my filter shows 1,170
Event ID 4634, my filter shows 254,489

The listed events are steadily growing...

My server info
Windows Server 2011 Essentials
Running in VM, clean install

History
Event's just started about a month ago. other research and troubleshooting is not yielding successful results.
Comment
Watch Question

Top Expert 2015

Commented:
Is is accessible from the internet?
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
CERTIFIED EXPERT

Commented:
In such cases I sometimes go the hard way: Wireshark.

Log the network traffic for some time, and inspect the traffic around the time of the event, maybe for more than one event. If you have detected the offending packets, i.e. by filtering out all known & safe protocol types and peek a bit deeper into the rest, they should reveal at least the IP the came from. And probably more ....
IT Supervisor
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You have to assemble 530/528
Logon type will provide additional information..
Interactive, network, etc...
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Those are the old event IDs. Please find new event IDs in my article in previous post
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
there are others, I am aware of the others, one has to know whether there are older systems that would be reflected under the old ..... request to SBS, SBS generating/reporting....

older account lockout tool from MS technet, includes a tool that can scour the security event log and allow you to view its content.

Clean install means nothing, what application, users are using? mapped drives, mapped other resources, applications that rely on AD security for access/rights assignment......

External access RDP, access to email, active sync, access to VPN, .......
David AtkinTechnical Director
CERTIFIED EXPERT
Top Expert 2015
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Thanks John and David! RDP port change and reboot! All safe now.