Today I discovered someone using a bot to brute force into one of my servers. The server has a public IP and Terminal services is open on the firewall to this server. Two IP addresses were spamming login attempts. So I noticed the epic mega ton of failure audits.
I blocked both IP addresses(considering blocking the entire subnet) on the firewall and the failure audits have ceased.
Is there anything else I should be looking at? Does this sort of attempt usually lead to more attempts in other parts of my network? Or will they give up once they realize I discovered their attempts?