0

I'm having hundreds of messages in my Security Event System like:

An account failed to log on.

Failure Reason: Unknown user name or bad password.

Caller Process Name: C:\Windows\System32\winlogon.exe

Source Network Address: 115.152.173.214
Source Port:        3876

Every 5 seconds, anu idea why?

Thanks.

Patrick
  • 101

1 Answers1

4
115.152.173.214 Succeed China   CHINANET-JX CHINANET JIANGXI PROVINCE NETWORK   115.152.0.0 115.153.255.255 115.152.0.0/15  Yes Chinanet Hostmaster No.31 ,jingrong street,beijing, 100032  anti-spam@ns.chinanet.cn.net        +86-10-58501724 +86-10-58501724 APNIC

So unless you have any legitimate users logging in from China then someone is trying to brute-force login credentials for your network.

What services have you got exposed to the internet? You may want to consider configuring your firewall to block netblocks outside of your operational area.

Possible duplicate of: Determine windows server attack? Should I monitor the server and block IPs all the day?

And there's probably a canonical answer somewhere, but I'm unable to find it at present.

Community
  • 1
BlueCompute
  • 2,954
  • 2
  • 19
  • 28
  • Hi, thanks. It's a pure Web Server, with RDP, DNS, no FTP or any other external service. – Patrick Mar 05 '14 at 14:21
  • If RDP is exposed to the internet it's no surprise you're being hit. Don't do it. – BlueCompute Mar 05 '14 at 14:31
  • 1
    VPN first - then internal services - never straight on the internet! – ETL Mar 05 '14 at 14:35
  • Hi, thanks, but how can I manage the server console without RDP? – Patrick Mar 05 '14 at 14:58
  • @Patrick Look into WinRM and PowerShell remoting. The other option that will eliminate the vast majority of brute force attacks is to change the port RDP listens on from the default. Most of these brute force attacks are done by bots that are set to use default settings. – HopelessN00b Mar 05 '14 at 15:07
  • @HopelessN00bless thanks, but can you help on this because I am not very familiar with Windows Administration. – Patrick Mar 05 '14 at 15:50
  • 1
    Patrick, that's not how it works round here. Do the work yourself. Use Google. – BlueCompute Mar 05 '14 at 19:05