While looking in Terminal Services Manager on one of my SQL boxes, I noticed that there are seemingly many attempts to remote to the machine while I was connected:
One minute...
And the next...
I'm not seeing anything that seems to match this activity in the event viewer, and it's continuing. Where might I look to find out where these are coming from and what might be going on?
If someone is failing to authenticate then you should find information about that in the security event log. If all they are doing is making a connection but not passing credentials then that won't show up really anywhere in Windows (that I'm aware of).
Like @joeqwerty said, if this machine is accessible from the public Internet then check the firewall logs to see what they say. Also close the connection from the public Internet as that's just asking for trouble. Using a VPN then RDPing into the SQL Server is a much more secure option.
