1

I manage a server running Windows Server 2008 R2 that constantly gets bombarded with brute force attacks via FTP. These failed login attempts show up in the Security section of the Windows Logs as Audit Failure errors (Event ID 4625) with a Logon Type of 8 (NetworkCleartext). In each event log entry the Source Network Address (i.e. the offending IP address that should be blocked) is never listed, however, the IP address IS listed in the FTP logs (located by default in C:\inetpub\logs\LogFiles\FTPSVC2).

Is there any way to have the offending IP addresses, which the FTP log clearly knows about, also show up in the Security Windows Logs?

kevinmicke
  • 411
  • 1
  • 4
  • 16

1 Answers1

3

There isn't any functionality in the product to do what you're looking for. It makes no sense, but that's how it has been since Microsoft has had an FTP server in Windows.

Background: I developed a utility that blocks IP addresses sourcing brute-force RDP logon attempts. I've been asked to add FTP functionality to that script time and time again and, as such, I've researched this. There's no way to get offending IP addresses from the Event Log.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks for the quick and thorough reply. That's very sad, but not particularly surprising. I've got a similar script for RDP, and I guess I'll have to make one to process the FTP logs separately. Thanks again, and sorry I don't yet have the reputation to up vote your answer. – kevinmicke Jan 29 '14 at 04:23
  • Forgot to mention this when I initially wrote it, but I put together a Powershell script that also finds IPs in the FTP logs, which you can see here if you're interested: http://serverfault.com/a/571903/107701 – kevinmicke Aug 21 '14 at 23:05