-1

I've been receiving the following error(attached file) in my event log lately. So i'm trying to figure out how did this Ip(Source Netword Address) manage to authentication the login details.

I only connect to my Web Server via RDP, through a special port no(configure in windows firewall) and VPN(Peap). My server is a public facing server, but i only allow RDP via vpn - that is if you try to login via the public ip it will throw an error. It's using the default windows firewall.

So Im concerned that someone might have gained access to my Server. The funny thing is that the usernames and Ips keeps on changing, so this proves that someone is trying to hack my Server.

How can i block such authentications ? How can i trace the login method that this Ip used to do authentication ? Here is my event log :

enter image description here

chosenOne Thabs
  • 99
  • 2
  • You need to post more information about your server's setup. Is it on the internet? Is it behind a firewall, or in a DMZ? Are you running Windows Firewall, or some other software firewall? – RobbieCrash Jul 06 '17 at 21:11
  • I have added more information. – chosenOne Thabs Jul 06 '17 at 21:29
  • How have you restricted access to RDP to VPN only? Is the server part of a domain? – RobbieCrash Jul 06 '17 at 21:43
  • Logon Type 3 is a network logon, but is not an RDP logon. Logon Type 3 could be associated with accessing a shared folder or printer over the network, or in your case, IIS. This logon attempt is coming in via your website. If you have logging enabled in IIS then the IIS logs should correlate. – joeqwerty Jul 06 '17 at 21:53
  • @joeqwerty yes I'm hosting a website on this Server. Is there a way to figure out how they are triggering this logging via my website ? My website doesn't have the login page though. I will have a look at the logs also. – chosenOne Thabs Jul 07 '17 at 10:09
  • @RobbieCrash I restricted RDP by blocking the default port no 3389(in windows firewall) and creating new port no in registry and allowing it on windows firewall. So if i want to login to the server i need to VPN via the public static Ip, then get the server's local ip and use it to RDP. I've also created a rule(on the new port no) to block all RDP connections unless they connect via local Ip(defined local ip range) on windows firewall. – chosenOne Thabs Jul 07 '17 at 10:42

1 Answers1

0

If your server is listing that network address as the source, then they must have found a way around your firewall rules. If there is a port open from the internet, failed authentication attempts are something that you are going to see all day long. I would start by trying to check logs on a firewall to track inbound connections. Just walk through your firewall rules to make sure you don't have another port open unintentionally.

Cory Knutson
  • 1,866
  • 12
  • 20