How Do You Know If Your Server Is Under Attack Right Now?

Imagine there's a back door in your house that you never use. One day you walk past it and notice the handle is scratched and there are scuff marks around the lock. Someone tried to get in – they just didn't succeed.

This is exactly what happens on most Windows servers, except instead of scratch marks, there are entries in the system log. The question is: when did you last check?

Where Can You See the Attempts?

Windows records everything. Every failed login attempt is stored in a log called the Event Viewer. You don't need to install anything – it's built into every Windows server by default.

Failed logins are logged under a specific number: 4625. If you search for this number in the log, you'll instantly see how many times someone tried a wrong password.

How to Check (2 Minutes)

1. Press Windows + R, type: eventvwr.msc, then press Enter
2. In the left panel, click: Windows Logs → Security
3. On the right side, click Filter Current Log
4. In the Event ID field, type: 4625
5. Click OK

What appears is the list of failed login attempts. Each row is one attempt – with the date, time, and the IP address it came from.

What Will You See?

If your server is accessible from the internet via Remote Desktop, you almost certainly won't see an empty list. Most servers have hundreds or even thousands of these entries per day.

Look for the following:

• How many entries in the last 24 hours? If it's in the hundreds, that's active probing.
• What usernames are they trying? Common ones: Administrator, Admin, Test, User, Guest. If you see a name that doesn't even exist on your machine – it's definitely coming from outside.
• Where are they coming from? Every entry contains an IP address. If you see foreign, unknown IPs, that's a sign of automated attacks.

Why Does It Matter If They Can't Get In?

Fair question. If the password is strong, what's the problem? Three things:

First, your server is working on it. Every single attempt has to be evaluated, rejected, and logged. It's like a receptionist turning away thousands of strangers at the door every day – while actual employees are waiting in line. We wrote about this in more detail in our previous article.

Second, the log fills up. When thousands of fake entries pour in, it becomes harder to spot something important. It's like having thousands of unknown people on your security camera footage – while you need to find the one who's actually suspicious.

Third, time is not on your side. Attackers are patient. If they make ten thousand attempts per day, that's three hundred thousand per month. Eventually they might get lucky, especially if the password isn't long or complex enough.

What Should You Do If You Find Many Entries?

If you've checked and see thousands – don't panic, but don't ignore it either. The situation is manageable.

The most effective solution is to have the attackers automatically blocked before they can try in serious numbers. That's exactly what BruteFence does: it monitors these 4625 events, and when too many wrong passwords come from the same IP address, it blocks it automatically.

After that, you won't see thousands in the log, but a few dozen – because attackers get locked out after the first few attempts.

Summary

Your server's log doesn't lie. If you check for Event 4625 entries, you'll see exactly how many people are trying. On most servers, this number is surprisingly high – and it doesn't stop on its own. BruteFence handles it automatically: blocks the attackers, protects performance, and keeps the log clean. Two minutes to check, two minutes to fix.