Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
M$ Windows Server 2016 Standard
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

M$ Windows Server 2016 Standard

Have M$ Windows 2016 Standard server running on a Dedicated Server on KimSufi. Lately, i have not been able to access it via RDP.. it continuously drops of saying “An internal error has occurred”.

So, without any KVM/ IPMI, i login to the admin panel and restart the server and I can login. This works as there isn't much mission critical running, but, just a long process to get the system up and running.

So, after some digging, I saw that there are several RDP connections happening every minute...

netstat -n | find ":3389" | find "ESTABLISHED" shows a bunch of established connections...

Event Viewer shows:
"The RD Session Host server received large number of incomplete connections. The system may be under attack." multiple times (on the top of the hour mainly).

What are different ways to protect this box? Is there anything like Fail2Ban or similar for M$ Windows Server?

TIA.

Comments

  • ClouviderClouvider Member, Provider

    perhaps you should limit the RDP port on the firewall only to certain IPs?

    Thanked by 2raindog308 bacloud

    Clouvider Limited - Leading Hosting & Connectivity Partner || Dedicated Server Sale from £39/m - Our Latest LET Offer

    Cloud Web Hosting | SSD & SAS HA OnApp VPS | US, UK, NL & DE Dedicated Servers | Network Services | Colocation | Managed Services

  • Or you can change RDP port ?

    Thanked by 1raindog308
  • @Clouvider said:
    perhaps you should limit the RDP port on the firewall only to certain IPs?

    Sure, any tips on how to do that?

  • @MohamadSY said:
    Or you can change RDP port ?

    Yeh, its on a custom port now, but, still connections are high. Thanks

  • ClouviderClouvider Member, Provider

    Windows firewall, or even better, ask provider to implement an ACL for you.

    Thanked by 1plumberg

    Clouvider Limited - Leading Hosting & Connectivity Partner || Dedicated Server Sale from £39/m - Our Latest LET Offer

    Cloud Web Hosting | SSD & SAS HA OnApp VPS | US, UK, NL & DE Dedicated Servers | Network Services | Colocation | Managed Services

  • OseriOseri Member

    Hi @plumberg, in what DC is your server? Mine is at BHS and the netstat show lots of connections attempt, all from distinct Russian IPs.

  • @plumberg said:

    @Clouvider said:
    perhaps you should limit the RDP port on the firewall only to certain IPs?

    Sure, any tips on how to do that?

    In windows advanced firewall, find the rule you edited when you changed the RDP port and change Remote from "any" to your public IPV4.

    Also, install other remote connection methods, like Remote Utilities. It kind of sucks, but good for fallback.

    There's also a fail2ban like app from Cyber Arms. A few years old but still good and simple. Google it.

  • @Oseri said:
    Hi @plumberg, in what DC is your server? Mine is at BHS and the netstat show lots of connections attempt, all from distinct Russian IPs.

    Every DC, anywhere in the world has this problem.

  • @Oseri said:
    Hi @plumberg, in what DC is your server? Mine is at BHS and the netstat show lots of connections attempt, all from distinct Russian IPs.

    BHS... still hitting every few seconds...

Sign In or Register to comment.