P4 · Windows Server

Windows Server RDP Brute-Force and DDoS Attack Mitigation Using IPBan

Windows Servers with RDP or other services exposed directly to the internet are routinely targeted by automated brute-force and DDoS attacks, generating high volumes of failed logon events (Event ID 4625) and risking account compromise. IPBan is a lightweight open-source tool that monitors the Windows Security Event Log and automatically creates Windows Firewall block rules for IPs exceeding a configurable failed-login threshold. Deploying IPBan alongside strong password policies, audit logging, and VPN-gated access significantly reduces the attack surface on internet-facing Windows Servers.

Indicators

High volume of Event ID 4625 (Failed Logon) entries in Windows Security Event Log
Repeated RDP connection attempts from unknown, foreign, or sequential IP addresses
Unusually high inbound network traffic or sustained CPU load on the server
Multiple user account lockouts occurring in rapid succession
Windows Firewall logs showing repeated connection attempts from single source IPs
Security audit log flooded with failed authentication events, impairing log readability

Likely causes

RDP port (TCP 3389) exposed directly to the internet without upstream firewall filtering
Weak, default, or guessable credentials on administrator or service accounts
No account lockout policy or rate-limiting configured via Group Policy
Absence of IP-based blocking, geo-filtering, or rate-limiting on the perimeter firewall
Automated bots and botnets continuously scanning internet IP ranges for open Windows services
No multi-factor authentication enforced on RDP or other remote access services

Diagnostic steps

Open Event Viewer (eventvwr.msc), navigate to Windows Logs > Security, and filter for Event ID 4625. Review the frequency, source IP addresses, and targeted accounts to confirm brute-force activity and establish baseline attack volume.
Review Windows Firewall logs at C:\Windows\System32\LogFiles\Firewall\pfirewall.log to identify repeated inbound connection patterns and confirm source IPs correlate with Event ID 4625 failures.
Confirm that Windows Audit Policy is generating failed logon events: run 'auditpol /get /subcategory:"Logon"' and verify Failure auditing is enabled. If not, enable it: auditpol /set /subcategory:"Logon" /failure:enable
Download the latest IPBan release from the official GitHub repository (https://github.com/DigitalRuby/IPBan) and extract the contents to a stable directory such as C:\IPBan.
Install IPBan as an automatic Windows service using an elevated command prompt: sc create IPBan type= own start= auto binPath= "C:\IPBan\DigitalRuby.IPBan.exe" DisplayName= IPBan
Edit the IPBan configuration file (ipban.config or appsettings.json in the IPBan directory) and set key parameters including FailedLoginAttemptsBeforeBan (e.g. 5) and BanTime (e.g. 01:00:00:00 for 1 day) to align with your security policy.
Start the IPBan service: sc start IPBan — or use Services.msc to start it and confirm the startup type is set to Automatic.
Verify IPBan is actively blocking by reviewing its log file at C:\IPBan\logfile.txt and checking that Windows Firewall block rules are being dynamically created: netsh advfirewall firewall show rule name=IPBan_Block_*

Resolution path

Confirm brute-force activity by filtering Windows Security Event Log for Event ID 4625 and reviewing source IPs and targeted accounts
Verify failed logon auditing is enabled via auditpol; enable it if missing
Download and extract IPBan to C:\IPBan from the official GitHub repository
Install IPBan as an automatic-start Windows service using sc.exe
Edit the IPBan configuration file to set appropriate ban thresholds and ban duration per security policy
Start the IPBan service via sc.exe or Services.msc and confirm it is running
Verify dynamic Windows Firewall block rules are being created using netsh advfirewall show rule
Monitor C:\IPBan\logfile.txt and Windows Security Event Log to confirm ongoing attack mitigation

Prevention

Deploy IPBan or an equivalent automated IP-blocking tool on all internet-facing Windows Servers as standard build configuration
Place RDP and administrative services behind a VPN gateway to remove them from direct internet exposure
Restrict RDP access to known, approved IP ranges using Windows Firewall inbound rules or perimeter firewall ACLs
Change the default RDP listening port from TCP 3389 to a non-standard port to reduce automated scanner hits
Enforce a strong account lockout policy via Group Policy (Account Lockout Threshold: 5–10 attempts, lockout duration: 15–30 minutes)
Require multi-factor authentication for all RDP and remote administrative access
Enforce strong, unique passwords on all administrator and service accounts; disable or rename the built-in Administrator account
Configure alerting on high-frequency Event ID 4625 occurrences via SIEM, Windows Event Forwarding, or a monitoring platform
Keep Windows Server and all exposed services fully patched to eliminate known exploitable vulnerabilities

Tools

IPBan (https://github.com/DigitalRuby/IPBan)
Windows Event Viewer (eventvwr.msc)
Windows Firewall with Advanced Security (wf.msc)
netsh advfirewall
auditpol.exe
sc.exe (Service Control Manager)
Services.msc

References

windows-serverbrute-forceddosipbanrdp-securitywindows-firewallevent-id-4625ip-blockingauthentication-hardeningsecurityinternet-facinghardening