In today's digital landscape, where remote work has become the norm, securing your network's remote access is more critical than ever.
If you're utilizing Windows Server's Routing and Remote Access Service (RRAS) for VPN connectivity,
failed authentication attempts can quickly turn into a repeating brute-force attack against your VPN server.
Failed VPN Logon Events
When MS VPN (RRAS) rejects a connection attempt, Windows records failed authentication details in the System event log.
You may find that your System event log is flooded with Event ID 20271 records like below:
Failed logon entries in the System event log
The user admin connected from 185.16.39.179 but failed an authentication attempt due to the following reason:
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically,
the authentication method used by the server to verify your username and password may not match the authentication
method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
OR
The user vpn connected from 68.69.184.82 but failed an authentication attempt due to the following reason:
The remote connection was denied because the user name and password combination you provided is not recognized,
or the selected authentication protocol is not permitted on the remote access server.
These records may indicate brute-force attacks on your server to find weak passwords. In most cases,
these attacks are performed using automated tools widely available on the Internet.
When performed from a powerful machine with a good internet connection, these attacks may affect your server availability,
consuming bandwidth, processor time, and memory usage.
How RdpGuard Protects MS VPN
With RdpGuard, you can effectively stop these brute-force attempts on your RRAS server.
RdpGuard monitors Windows event logs for failed login attempts to MS VPN (RRAS) and blocks offending IP addresses immediately.
RdpGuard can monitor MS VPN failures reported by the RemoteAccess provider and related IPsec authentication events,
so repeated failed attempts from the same remote address can be blocked before they continue to load your VPN server.
Download RdpGuard for MS VPN Protection
For Windows 7 SP1/8.1/10/11 and Windows Server 2008 R2 SP1/2012/2016/2019/2022/2025
How to Configure MS VPN Protection
To enable MS VPN protection, configure protection settings, or add exclusion rules for trusted usernames or known event patterns,
please see:
"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard"
- Joaquim De Sousa Marques
"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called
TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's."
- J. Johnson
"Absolutely amazed at your product. We are a church in the North Dallas area,
and I discovered this morning multiple failed logon attempts via our Remote Access Server.
A friend suggested your product, so I immediately downloaded the trial.
It had a list of about five blocked IP addresses in minutes, and that was enough to
lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a
third being international attempts to break into our system.
Thanks for a great product. You may have just saved us much grief."
- John Hallford
"Love the software. RDP on our Windows servers is just ridiculous.
We would block it in the router but we have lots of old-time customers that would have issues."
- Scott Hirsch
"Love the software! Makes it easier than tailoring VB Scripts!!"
- Nick Brennan
"It's a great product - really stopping those RDP attackers :-)"
- Dave, UK
"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server.
RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)"
- Carsten Baltes
Failed logon entries in the System event log
