Es verdad que 5 son pocos, pero como te avisa por email, yo voy bloqueando las IPs directamente desde el firewall. (un coñazo y acabare pagando)
Otra opción que encontre, pero no he probado es:
https://github.com/EvanAnderson/ts_block
Es un script e Visual basic, si te animas y lo pruebas me dices si va bien! hehe:
ts_block is a VBScript program that acts as a WMI event sink to receive
events logged by Windows in response to invalid Terminal Services
logons. It parses these log entries and acts upon them as follows:
- If the IP address attempts to logon with a username flagged as "block
immediately" the IP address is blocked immediately.
- If the IP address attempts to logon with more frequently than is
allowed in a given time period the IP address is blocked.
The "block immediately" usernames and thresholds associated with repeated
logon attempts are configurable in the "Configuration" section of the
script. Default settings are as follows:
Block Immediately Usernames - administrator, root, guest
Logon attempts allowed - 5 in 120 seconds (2 minutes)
Duration of block - 300 seconds (5 minutes)
The configuration variables for these values are reasonably
self-explanatory. Additional variables to enable/disable debugging and
event log usage are also present and self-explanatory. Review the
section "Registry Configuration Parameters" for information about
configuring via the registry (which is useful for management via Group
Policy).
Four times per second IP addresses that have remained blocked for their
assigned block duration are unblocked.