Issue

If you find your VPS becoming unresponsive and are unable to login normally using the RDP client of your workstation, it could be related to too many invalid login attempts in a short period of time. This type of attack may overwhelm the Remote Desktop Services subsystem of your server and lock it up preventing even valid authentications to the RDP desktop of the VPS. In this case, the only resolution is to reboot the VPS remotely in order to regain access to your VPS.

Why This Occurs

By default, our VPS servers are accessible to any valid, fully authenticated RDP connection over the Internet. This makes connecting remotely easy from ANY device you'd like (your dektop computer, laptop, mobile phone, etc.). All of these devices have their own unique IP address thus by NOT restricting access, you are able to connect from anywhere.

This unfettered access CAN cause an issue however if you find your VPS is under attack by malicious scripts that attempt to gain access to your server by attempting numerous login attempts in a short period of time. If this is the case, you will then want to restrict access to ONLY ALLOW SPECIFIC IP ADDRESSES to access your VPS, thus blocking all other attempts.

How To Determine If Your Server Is Receiving Numerous Invalid Login Attempts

The first step is to review your server's Event Log in order to find out if your server is indeed receiving multiple invalid login attempts. To do this, perform the following steps:

  1. Click the SEARCH icon (magnifying glass icon) to the right of the START button and type Event Viewer
  2. Next, click the Event Viewer application in the results above to launch the program

    Launching Event Viewer to determine if there are too many invalid login attempts error 4625

  3. At the top of the Event Viewer, click to expand the ERROR messages under the Summary of Administrative Events section.

    Checking event viewer log for event id 1006 too many terminal services login attempts

  4. Look for any error messages with an Event ID of 1006. If you see one, double click it to see if there are a number of those events. These event log entries are the first sign that too many invalid login attempts may be occurring.

    Numerous event ID 1006 in event viewer log file

Next, we'll check the Event Viewer Audit Records for too many failed login attempts

  1. Now scroll to the bottom of the Summary of Administrative Events section and review the number of Audit Failures that have occurred in the last hour, last 24 hours, and the last 7 days. If this number is much higher than what you would consider to be normal, then it is likely that your VPS is under some sort of login attempt hack most likely executed by a rogue login script or app on the Internet.

    Event Viewer audit failure event ID 4625

  2. By expanding the Audit Failure section, you can review EACH of the individual login attempts. If you click the DETAILS tab of any one specific event, you can see the login name they attempted during login as well as the proxied IP address that was used.

    Multiple invalid login attempts in Event Viewer error 4625

  3. As you can see in the Events logged above, the Invalid login attempts (error 4625) are occurring within a few seconds of each other. This is DEFINITELY a malicious attempt to gain access to the server.

Resolution

In order to fix this issue and BLOCK these unwanted login attempts, we recommend you edit the Windows Firewall rules and restrict VPS access to only certain IP address(es) or IP address ranges.

2Surge Logo - White (footer)
1719 Angel Parkway, Ste 400-220
Allen, Texas 75002
972-999-0309
[email protected]
© Copyright 2019 - 2Surge Marketing - All Rights Reserved