Azure VM being brute force attacked

Kevin Linder 21 Reputation points
2020-06-05T15:39:58.083+00:00

Hello all, I've had an ongoing issue of receiving connection errors when I attempted to connect to my Azure VM via RDP the past couple of weeks.

I dug into it a bit yesterday and I found hundreds of thousands of Audit failure 4625 events. It's been happening since May 13th from what I can tell. I just started up my VM about 25 minutes ago and I'm already up to almost 2100 of these events.

Does anyone have any recommendations on how to prevent these attacks from occurring?

Thanks!

![9234-bruteforce.jpg][1] [1]: /api/attachments/9234-bruteforce.jpg?platform=QnA

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,112 questions
Accepted answer
  1. Andreas Baumgarten 96,266 Reputation points MVP
    2020-06-10T19:23:42.647+00:00

    Does the VM is reachable by a Public IP and protected by a NSG with an NSG Rule that allows RDP connections?
    If so it's maybe helpful to deny the RDP connection in the NSG if not needed.
    Also JIT might be an option: Secure your management ports with just-in-time access

    Maybe this is helpful.

    Regards

    Andreas Baumgarten

    (Please don't forget to Accept as answer if the reply is helpful)

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Moamen Hany 1,091 Reputation points MVP
    2020-08-07T22:20:26.373+00:00

    Restrict WAN connections to the VM public IP to specific SCOPE from NSG.

    Enable JUSTINTIME for RDP port from Azure Security Center.

    http://www.moamenhany.com

    3 people found this answer helpful.
    0 comments