I'm getting thousands of hack attacks on a Windows server resulting in Security log error 4625 entries. Hackers are using random IPs, so the usual RDPguard, Syspeace, etc. tools don't work. Port 3389 is closed on the server, so I'm surprised at the continued attacks.
I'd like to figure out what local ports the attackers are connecting to for their attempts, but all the automated tools I've found only look at IP. And the default Windows server logs also only show IP and remote port, not local port.
I know I can manually look at Wireshark logs, but that's labor-intensive. I'd like to find a tool that monitors failed logins and simply corroborates them with the local port, so I know what ports to close. Ideally, this doesn't generate gigantic logs or require constant monitoring; the tool would preferably be triggered by bad logins and collect the port and service info. Any ideas?
Best Answer
I think your best tool is windows itself. As you already have windows firewall enabled you can use its logging to view and monitor the traffic you want.
Event log: Details are at the bottom of this Technet https://technet.microsoft.com/en-us/library/dd421717(v=ws.10).aspx
Windows firewall log: Or you can enable logging in the windows firewall and have it dump to a file. https://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/
Or the monitoring section under windows firewall with advanced security.