Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


M$ Windows Server 2016 Standard
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

M$ Windows Server 2016 Standard

Have M$ Windows 2016 Standard server running on a Dedicated Server on KimSufi. Lately, i have not been able to access it via RDP.. it continuously drops of saying “An internal error has occurred”.

So, without any KVM/ IPMI, i login to the admin panel and restart the server and I can login. This works as there isn't much mission critical running, but, just a long process to get the system up and running.

So, after some digging, I saw that there are several RDP connections happening every minute...

netstat -n | find ":3389" | find "ESTABLISHED" shows a bunch of established connections...

Event Viewer shows:
"The RD Session Host server received large number of incomplete connections. The system may be under attack." multiple times (on the top of the hour mainly).

What are different ways to protect this box? Is there anything like Fail2Ban or similar for M$ Windows Server?

TIA.

Comments

  • ClouviderClouvider Member, Patron Provider

    perhaps you should limit the RDP port on the firewall only to certain IPs?

    Thanked by 2raindog308 bacloud
  • Or you can change RDP port ?

    Thanked by 1raindog308
  • @Clouvider said:
    perhaps you should limit the RDP port on the firewall only to certain IPs?

    Sure, any tips on how to do that?

  • @MohamadSY said:
    Or you can change RDP port ?

    Yeh, its on a custom port now, but, still connections are high. Thanks

  • ClouviderClouvider Member, Patron Provider

    Windows firewall, or even better, ask provider to implement an ACL for you.

    Thanked by 1plumberg
  • Hi @plumberg, in what DC is your server? Mine is at BHS and the netstat show lots of connections attempt, all from distinct Russian IPs.

  • @plumberg said:

    @Clouvider said:
    perhaps you should limit the RDP port on the firewall only to certain IPs?

    Sure, any tips on how to do that?

    In windows advanced firewall, find the rule you edited when you changed the RDP port and change Remote from "any" to your public IPV4.

    Also, install other remote connection methods, like Remote Utilities. It kind of sucks, but good for fallback.

    There's also a fail2ban like app from Cyber Arms. A few years old but still good and simple. Google it.

  • @Oseri said:
    Hi @plumberg, in what DC is your server? Mine is at BHS and the netstat show lots of connections attempt, all from distinct Russian IPs.

    Every DC, anywhere in the world has this problem.

  • @Oseri said:
    Hi @plumberg, in what DC is your server? Mine is at BHS and the netstat show lots of connections attempt, all from distinct Russian IPs.

    BHS... still hitting every few seconds...

Sign In or Register to comment.