How can I stop random login attempts against my Windows Server 2008 R2?

I had this question after viewing Tracking down source of Event ID:  4625 on Windows 2008R2 server.

I'm getting literally hundreds of attempted logins (all of which fail) showing the same Event ID (4625), but, in my case, each attempt shows a different LOGINNAME (e.g. JESUS, LISA, MARIA, the list goes on and on....).  My situation is very similar to the prior question, but I have no idea what to do and the "solution" as stated in the prior question (a "rogue" device) is not the issue....below is a screen shot of my event viewer.

Event-Viewer---Security-Audit-Failur.jpg
Jim KlocksinOwner, Data ArchitectsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GreenProject Systems EngineerCommented:
Errrrr, I think someone is brute forcing your network.
0
Alex GreenProject Systems EngineerCommented:
Get some downtime, then Take out your internet and see if it continues.
0
ITguy565Commented:
I might go this route :

https://www.netwrix.com/kb/1587

This is a very good application to identify these types of issues log term.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

RobertSystem AdminCommented:
Just a suggestion. Check your firewall see if you can identify the source IP and block it.
0
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
I'm getting 30 to 40 of these every minute.  I can't see anything in either my SonicWall logs or my Symantec Endpoint Security logs that occurs this frequently.  At the same time, I have about 10 users actively connected to and using my system, so these "login attempts" (or whatever they are) are not affecting my RemoteApp software that I provide to my customer.  This all started around 10:20 PM last night (9/19) and hasn't stopped since!
0
David Johnson, CD, MVPOwnerCommented:
some script kiddie (could be more than 1) has done a network search and looked for ports 3389 being open. Having found one it is trying to brute force their way in.  What you could do is attempt to restrict the remote addresses to address ranges used by the local isp's

I personally had a bunch of script kiddies trying to brute force into sql server port 1433 using account SA and a bunch of passwords. Upon discovering this I reduced the range of remote ip's to actual IP's that I needed from remote to connect to.

time to think about implementing a VPN
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
You are definitely right about the port being used to attempt to gain access.  I don't use 3389, but that's irrelevant since they've found the port that I do use.  I have a "backup" server on a separate network that's configured identically to my production server, so I'm able to reconfigure things on the backup network without impacting my customers using the primary network.  As soon as I reconfigured my firewall on my backup network, the attacks stopped (or, more correctly, stopped appearing in my Security event log) and as soon as I configured my firewall back to the actual port I use, the attacks started to show up immediately in that same log.

I have over 500 legitimate users (only 12-15 concurrently using my system) that require access to my "hosting" platform so it's impractical to restrict IP addresses.  While this is not impacting my production users, it's unnerving (for lack of a better word...) to see all of this incoming traffic even though I really don't believe that they'll ever be able to gain access, but, who knows!?  Is there any other known solution to blocking these attempts without disrupting my entire hosting environment?
0
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
After realizing that the "intruders" were using my RDP port, I monitored the packets running thru my SonicWall firewall device and basically found three different IP address ranges that these attacks were coming from.  One from Latvia, and the other two from either the Russian Federation or the Netherlands (depending on which IP Locator service you want to believe...).  So I blocked the entire ranges within my SonicWall and these attacks are no longer getting to my server.  Obviously, this is something I'll have to keep an eye on in the future, but, for the moment this issue has been resolved.  Thanks to all!!!
0
Jim KlocksinOwner, Data ArchitectsAuthor Commented:
Blocked source IP ranges inside my SonicWall firewall device and attacks are no longer getting thru to my server!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.