I have a silly person in china (According to IP-Reversal websites) who is trying to login to my machine using RDP. I first noticed this when I found a stream of messages similar to this one:
[LAN access from remote] from 117.66.240.198:65086 to 192.168.1.20:3389 Thursday, November 16,2017 10:20:17
[LAN access from remote] from 117.66.240.198:56522 to 192.168.1.20:3389 Thursday, November 16,2017 10:19:00
Anyway I am not concerned as he is trying every minute or so to log into Administrator account. I have left it disabled and locked as it was.
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: ADMINISTRATOR
Source Workstation:
Error Code: 0xC000006A
I know I could change the Port for RDP to something other than 3389 but I need to stick to this port as my office only allows RDPs to the default one.
I also know that I could setup a VPN but then again this might be an overkill for my case.
I changed windows firewall to allow only RDP connections from a range of IPs but had to revert that as my office uses different ISPs and the IP at any moment could be different than after the next network restart.
I was hoping to see the passwords he is trying to use to brute force his way in.
Also is there anyway for me (using default windows policies) to throttle/ban IPs that send invalid credentials for some time?
Also, As I have a dynamic IP, first thing I did was restart my router and got a new IP, but apparently the habit is too strong as it didn't take longer than a day for another silly guy to start trying his luck with a new range of IPs and get mine within them.
