I am receiving a lot of failed login attempts (1 per sec) on a Windows 2008 server, I have already set local security policy to automatically lock an account after too many login attempts, but is there a way to automatically include an IP adress in the Windows firewall so that it will be blocked temporarily (say for 30 minutes) ?
Windows – automatically block IP address after many failed login attempts
firewallwindows
Related Solutions
For Internet Explorer, you might have to add the server address to the local intranet zone. IE often has a hard time detecting local intranet servers on its own, so you might have to manually add your site to that list. You can do that manually in IE settings or you can use group policies to manage a list of intranet servers within an AD domain. You can view the zone IE has chosen for your site from the menu File/Properties.
For Firefox, you have to tell FF to forward your network credentials to that site. in about:config you have to add the sites to the settings
network.automatic-ntlm-auth.trusted-uris
and
network.negotiate-auth.trusted-uris
.
Best Answer
We were recently flooded with similar attempts and had great success with fail2ban which does precisely that: blocks a source IP after N failed login attempts.
While it's designed for linux, a great answer by Evan Anderson to the ServerFault question Does fail2ban do Windows? may help you implement it.