As the title suggests, in the past few days, rdp has been frequently prompted with the following message:
We couldn't connect to the remote PC because the user account has been
locked due to too many sign in or password change attempts. Wait a little
while, and then try connecting again, or ask your admin or tech support for
help.
Error code: 0xd07
Now let's take a look at their records:
It has been exploding for 4 days, with nearly 600 k logs:
The most dramatic thing is that there is a series of IPs in the same /24 segment, taking turns to explode and bypass my Fail2ban:
Although my rdp is open to the public network, it is also a high-end port of 2k+, and it has blocked major asset mapping platforms.
So I think this is intentional, and I'm not sure if it's targeting me for now.
On average, I can pull so many in an hour (5 min with 5 max retries):
Even if I had Fail2ban open before, there were still many IPs that were not banned because they happened to be outside my restriction range.
I won't be so lax anymore.
My evaluation is: Buddy, do you know that you are doing something very foolish? Trying to brute force me is not only a waste of your time, but you won't get any results. First of all, my password is a 24-character random alphanumeric character combination that I can't even remember. Secondly, if you continue to brute force me, you will only get your IP blocked. So go ahead, I don't care.
Finally, let me share the Windows platform Fail2ban I use (open source on Gitee, which works well for me).
Remember to modify fail2ban-win.ini first, then install the service using ServiceManager.exe and start the service. It will start with the system and you don't need to worry too much.
If for some mysterious reason it's gone, you can download it from here: https://alist.nekorua.com/Files/fail2ban-win-v0.1.zip
Alright, good night and wish you a happy day.
This article is synchronized updated to xLog by Mix Space.
The original link is https://blog.nekorua.com/notes/13