I was doing some routine maintenance on a Windows Server 2008 box that I manage. When looking at the Security Log in the Windows Event Log interface I see a burst of 50-200 failed logins that happen over a 15 minute span. So it's obvious this is not someone who just forgot their password.
I know there are a lot of bots out there pinging servers and taking shots at firewalls. My question is if there is any yard stick to measure how bad the problem is? What is normal for a Windows Server running behind a firewall?
Best Answer
I suppose I will answer what I have learned in the 6 or so months since I posted this question.
I monitored a Windows Server, connected to a static IP address, with basic security in place (firewall, shut down unnecessary windows services, etc). I found that if I left FTP, using IIS 6 running, I would get 30,000 to 60,000 random login attempts a month. Some months were worse than others, bulk login attempts came in every shape and size. They tried lots of login names, sometimes tried the same name a lot.
When I stopped the FTP service the login attempts stopped.
We also implemented a solid procedure for backing up the Event Log so that large login attempts can't be used to cover up other activity by clogging the Event Log.
I'll accept other answers if anyone else has any experience with this. Otherwise I'll leave this answer for anyone interested.