How can I stop random login attempts against my Windows Server 2008 R2?

Jim Klocksin
Jim Klocksin used Ask the Experts™
on
I had this question after viewing Tracking down source of Event ID:  4625 on Windows 2008R2 server.

I'm getting literally hundreds of attempted logins (all of which fail) showing the same Event ID (4625), but, in my case, each attempt shows a different LOGINNAME (e.g. JESUS, LISA, MARIA, the list goes on and on....).  My situation is very similar to the prior question, but I have no idea what to do and the "solution" as stated in the prior question (a "rogue" device) is not the issue....below is a screen shot of my event viewer.

Event-Viewer---Security-Audit-Failur.jpg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AlexSenior Infrastructure Analyst

Commented:
Errrrr, I think someone is brute forcing your network.
AlexSenior Infrastructure Analyst

Commented:
Get some downtime, then Take out your internet and see if it continues.
I might go this route :

https://www.netwrix.com/kb/1587

This is a very good application to identify these types of issues log term.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

RobertSystem Admin

Commented:
Just a suggestion. Check your firewall see if you can identify the source IP and block it.
Jim KlocksinOwner, Data Architects

Author

Commented:
I'm getting 30 to 40 of these every minute.  I can't see anything in either my SonicWall logs or my Symantec Endpoint Security logs that occurs this frequently.  At the same time, I have about 10 users actively connected to and using my system, so these "login attempts" (or whatever they are) are not affecting my RemoteApp software that I provide to my customer.  This all started around 10:20 PM last night (9/19) and hasn't stopped since!
Top Expert 2016
Commented:
some script kiddie (could be more than 1) has done a network search and looked for ports 3389 being open. Having found one it is trying to brute force their way in.  What you could do is attempt to restrict the remote addresses to address ranges used by the local isp's

I personally had a bunch of script kiddies trying to brute force into sql server port 1433 using account SA and a bunch of passwords. Upon discovering this I reduced the range of remote ip's to actual IP's that I needed from remote to connect to.

time to think about implementing a VPN
Jim KlocksinOwner, Data Architects

Author

Commented:
You are definitely right about the port being used to attempt to gain access.  I don't use 3389, but that's irrelevant since they've found the port that I do use.  I have a "backup" server on a separate network that's configured identically to my production server, so I'm able to reconfigure things on the backup network without impacting my customers using the primary network.  As soon as I reconfigured my firewall on my backup network, the attacks stopped (or, more correctly, stopped appearing in my Security event log) and as soon as I configured my firewall back to the actual port I use, the attacks started to show up immediately in that same log.

I have over 500 legitimate users (only 12-15 concurrently using my system) that require access to my "hosting" platform so it's impractical to restrict IP addresses.  While this is not impacting my production users, it's unnerving (for lack of a better word...) to see all of this incoming traffic even though I really don't believe that they'll ever be able to gain access, but, who knows!?  Is there any other known solution to blocking these attempts without disrupting my entire hosting environment?
Jim KlocksinOwner, Data Architects

Author

Commented:
After realizing that the "intruders" were using my RDP port, I monitored the packets running thru my SonicWall firewall device and basically found three different IP address ranges that these attacks were coming from.  One from Latvia, and the other two from either the Russian Federation or the Netherlands (depending on which IP Locator service you want to believe...).  So I blocked the entire ranges within my SonicWall and these attacks are no longer getting to my server.  Obviously, this is something I'll have to keep an eye on in the future, but, for the moment this issue has been resolved.  Thanks to all!!!
Jim KlocksinOwner, Data Architects
Commented:
Blocked source IP ranges inside my SonicWall firewall device and attacks are no longer getting thru to my server!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial