Link to home
Start Free TrialLog in
Avatar of Joshua Brown
Joshua BrownFlag for United States of America

asked on

I have 200+ failed logon's per day, no source or username documented

I have numerous (200+) Event Errors

Event ID 4625, my filter shows 1,170
Event ID 4634, my filter shows 254,489

The listed events are steadily growing...

My server info
Windows Server 2011 Essentials
Running in VM, clean install

History
Event's just started about a month ago. other research and troubleshooting is not yielding successful results.
Avatar of gheist
gheist
Flag of Belgium image

Is is accessible from the internet?
Avatar of Shaun Vermaak
In such cases I sometimes go the hard way: Wireshark.

Log the network traffic for some time, and inspect the traffic around the time of the event, maybe for more than one event. If you have detected the offending packets, i.e. by filtering out all known & safe protocol types and peek a bit deeper into the rest, they should reveal at least the IP the came from. And probably more ....
ASKER CERTIFIED SOLUTION
Avatar of John Tsioumpris
John Tsioumpris
Flag of Greece image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You have to assemble 530/528
Logon type will provide additional information..
Interactive, network, etc...
Those are the old event IDs. Please find new event IDs in my article in previous post
there are others, I am aware of the others, one has to know whether there are older systems that would be reflected under the old ..... request to SBS, SBS generating/reporting....

older account lockout tool from MS technet, includes a tool that can scour the security event log and allow you to view its content.

Clean install means nothing, what application, users are using? mapped drives, mapped other resources, applications that rely on AD security for access/rights assignment......

External access RDP, access to email, active sync, access to VPN, .......
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Joshua Brown

ASKER

Thanks John and David! RDP port change and reboot! All safe now.