I have 200+ failed logon's per day, no source or username documented

I have numerous (200+) Event Errors

Event ID 4625, my filter shows 1,170
Event ID 4634, my filter shows 254,489

The listed events are steadily growing...

My server info
Windows Server 2011 Essentials
Running in VM, clean install

Event's just started about a month ago. other research and troubleshooting is not yielding successful results.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is is accessible from the internet?
Shaun VermaakTechnical SpecialistCommented:
In such cases I sometimes go the hard way: Wireshark.

Log the network traffic for some time, and inspect the traffic around the time of the event, maybe for more than one event. If you have detected the offending packets, i.e. by filtering out all known & safe protocol types and peek a bit deeper into the rest, they should reveal at least the IP the came from. And probably more ....
 Acronis Global Cyber Summit 2019 in Miami

The Acronis Global Cyber Summit 2019 will be held at the Fontainebleau Miami Beach Resort on October 13–16, 2019, and it promises to be the must-attend event for IT infrastructure managers, CIOs, service providers, value-added resellers, ISVs, and developers.

John TsioumprisSoftware & Systems EngineerCommented:
I am under the impression that someone is trying to hack you by RDP....he is using the administrator account name which has 'password never expires' and he/she is trying to get access...i would suggest just for start to change the RDP port from outside...right now it should be 3389.....change it to something else and observe...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You have to assemble 530/528
Logon type will provide additional information..
Interactive, network, etc...
Shaun VermaakTechnical SpecialistCommented:
Those are the old event IDs. Please find new event IDs in my article in previous post
there are others, I am aware of the others, one has to know whether there are older systems that would be reflected under the old ..... request to SBS, SBS generating/reporting....

older account lockout tool from MS technet, includes a tool that can scour the security event log and allow you to view its content.

Clean install means nothing, what application, users are using? mapped drives, mapped other resources, applications that rely on AD security for access/rights assignment......

External access RDP, access to email, active sync, access to VPN, .......
David AtkinTechnical DirectorCommented:
I'd agree with John Tsioumpris.  

You can confirm this if in the details the logon type is 10.  

If you are getting this then as John suggested, change the external RDP Port on the Router.
SoleCreationAuthor Commented:
Thanks John and David! RDP port change and reboot! All safe now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.