All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
M$ Windows Server 2016 Standard
Have M$ Windows 2016 Standard server running on a Dedicated Server on KimSufi. Lately, i have not been able to access it via RDP.. it continuously drops of saying “An internal error has occurred”.
So, without any KVM/ IPMI, i login to the admin panel and restart the server and I can login. This works as there isn't much mission critical running, but, just a long process to get the system up and running.
So, after some digging, I saw that there are several RDP connections happening every minute...
netstat -n | find ":3389" | find "ESTABLISHED" shows a bunch of established connections...
Event Viewer shows:
"The RD Session Host server received large number of incomplete connections. The system may be under attack." multiple times (on the top of the hour mainly).
What are different ways to protect this box? Is there anything like Fail2Ban or similar for M$ Windows Server?
TIA.
Comments
perhaps you should limit the RDP port on the firewall only to certain IPs?
Or you can change RDP port ?
Sure, any tips on how to do that?
Yeh, its on a custom port now, but, still connections are high. Thanks
Windows firewall, or even better, ask provider to implement an ACL for you.
Hi @plumberg, in what DC is your server? Mine is at BHS and the netstat show lots of connections attempt, all from distinct Russian IPs.
In windows advanced firewall, find the rule you edited when you changed the RDP port and change Remote from "any" to your public IPV4.
Also, install other remote connection methods, like Remote Utilities. It kind of sucks, but good for fallback.
There's also a fail2ban like app from Cyber Arms. A few years old but still good and simple. Google it.
Every DC, anywhere in the world has this problem.
BHS... still hitting every few seconds...