Running Windows 2012 server with IIS 8.
Windows Security Log
This log shows ~40,000 failed login attempts in a 6 hour period/over 160,000 per day.
Example Data
My Server IP Addresses ***** Failed Login IPs
TCP xxx.xxx.xxx.123:3389 *** 60.174.69.158:38578 ESTABLISHED
TCP xxx.xxx.xxx.122:3389 *** 100.38.123.93:64161 ESTABLISHED
TCP xxx.xxx.xxx.125:3389 *** 5.39.217.104:34567 ESTABLISHED
How do I find the Remote Desktop connection log on the server?
I checked this Stack Exchange link Server under DDOS attack, but it appears to be for Linux so the log references are not applicable to IIS.
Thanks…
Best Answer
Solution
Yuk Ding, from Microsoft, provided this Server Fault link: How to get IP address, which contains a couple options for recording the login IP addresses that I have been looking for.
It does not appear that this information is available in a default log, which I was looking for. It would appear that an event listener must be created to log the IP addresses.
PowerShell Script to Read IP Addresses
@chaz provided a useful PowerShell script to read the IP addresses associated with the failed login attempts, click here.
Windows Firewall Script To Block IP Addresses
I found a very useful PowerShell script for automating the task of blocking IP addresses in Windows Firewall. The script was written by Jason Fossen.
The following is from Jason's website here.
Integrated Scripts with C#
I wrote a C# program to integrate the scripts, which reduced daily failed logins of 160,000+ to a small trickle.
Hope this short write-up/links provide some help to others struggling with the same issue. Contact me if you have issues/questions.