Yes that was one of my many threads. Re: "100000 password attempts" I really don't like to get into these discussions but you make it sound like someone has or is about to do this and/or someone is systematically sending 100,000 attempts to do anything to a single server, much less mine.
I maintain a whitelist with only my IP address on it. It is supposed to help if not prevent others from getting in whether they know my password or not isn't it?
There are reports generated and I can see the list of IP addresses that tried port scanning (and password attempts) on my server. It shows the IP address, country, number of attempts among other things. If this got to be 10 failures from the same IP address why wouldn't the system just let me know? If it got to be 100 why not just throttle the attempts?
This all sounds like what I call the spam phone call problem. If there are 1000 outgoing calls per minute from a phone number any phone company should be suspicious and investigate. To pretend there is nothing that can be done is wrong. Either the company doesn't want to do anything or they are getting bad advice.
Bottom line is if the community is interested in security the systems need to be implementable, easily. The more hoops and the more convoluted they are the more opportunities for something to be missed and exploited. If a $10 one-time payment could have solved it I would have fixed it 10 years ago and I almost let it ride this time.
Security is a real problem but to solve it everyone must have access to the tools.
Good. This should prevent the vast majority of drive-by automated attacks. It's not foolproof because it's possible to spoof your IP address. But it's a huge step up from nothing. And it's also not practical for other folks who may not always be connecting to their server from the same place which is why something with 2FA can work better for others.
If you have less than 10 total users, you can use Duo Security for free to add 2FA to a bunch of stuff including RDP.
The AnyDesk thing I liked is also free for personal use.
"It's not foolproof because it's possible to spoof your IP address."
The key question is do they spoof my IP address? It appears not or I should see evidence of port scanning and intrusions by me. And how did each of these hackers determine my home IP address? Possible of course, probable not so much.
I'd guess the lock on your front door can be picked as fast as you can unlock it with a key.
Please do not misunderstand me as I really appreciated all your help getting this sorted out but if security is important it needs to be "baked in" and easily accessed. I periodically run "Shields Up" by Gibson Research. This is the sort of thing I'm talking about and internet providers, phone companies and news organizations could suggest that the average person at least run the test. A tech article in Forbes magazine about how to sign up for a yearly service makes money for the service but doesn't do much for security overall.
If there is an IP on the Internet that responds to a port, it will get found and identified.
Then, if there is a known exploit for that service, it will be tried.
If there is a brute force attack that can be leveraged, it will be tried.