While Viewing the windows server 2008 event log, I always find many security events 4625/logon as follows:
**An account failed to log on.**
Subject:
Security ID: SYSTEM
Account Name: Sever-Name
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 10
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: admin (or administrator or user or any)
Account Domain: Sever-Name
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x1b18
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: Sever-Name
Source Network Address: Some-Remote-IP
Source Port: Port#No (many ports in a row)
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
The above tries comes from single IP using all possible usernames and ports.
This is what you need to do:
Set up a VPN for secure remote access to your server.
Place the server behind a firewall (hardware or software) and don't allow remote logons from anywhere. You must connect to the VPN if you want to connect remotely.
Have a sandwich and enjoy how much better off you are now that you've done these basic security precautions.
After that is done, then you need to get a book on Windows administration (or administration in general) and read about firewall rules. Then configure yours appropriately. Only you know who needs to access what services from where. Take some time to look at all services running, decide which ones need to be publicly available (like web) and which ones don't (like RDP) and configure your firewall accordingly.
The truth is that if you are under a large DDOS attack firewall can't actually help you as it will run out of resources while banning ip address . Good solution is to have a failover ip and the best is to have a load balancing setup ..
If this is a small ddos simply by tracing and blocking these ips you will be ok..
User contributions licensed under CC BY-SA 3.0