Windows 2008 R2 disconnects

F

field3d

New Member
Hello we have a Windows Server 2008 R2 with SQL Server 2008 R2. We have. months having disconnections during certain hours, We called the ISP and since they changed the administration some problems began to occur, We used for example a primary DNS and Secondary addresses that were provided to us when we made contract with that company. Then after they changed administration they stopped working and during months we could not solve they give us new ones. Well that were not the problem really, the problem is we have disconnections and a strange unlimited number of events in the event viewer. We have months that the server is down for 10 minutes, 30 minutes, 1 minute in general is random and at certain hours. The events the 5156 and 5157 to the lsass.exe and come from China, and other parts of the world. The events are similar to this one (I deleted xxx the address of our server):

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 1000
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe

Network Information:
Direction: Inbound
Source Address: 208.96.30.116
Source Port: 389
Destination Address: 222.186.151.237
Destination Port: 16516
Protocol: 17

Filter Information:
Filter Run-Time ID: 1660031
Layer Name: Receive/Accept
Layer Run-Time ID: 44




and this one:

The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 1000
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe

Network Information:
Direction: Inbound
Source Address: 208.96.30.116
Source Port: 389
Destination Address: 24.167.51.62
Destination Port: 6865
Protocol: 17

Filter Information:
Filter Run-Time ID: 1717210
Layer Name: Receive/Accept
Layer Run-Time ID: 44


Is supposed the ISP told us is nit the hardware because they checked but what could be causing the issue? Or how you make to filter that locations, because maybe someone is trying ti hack the server? The option is not format and clean image we did one time and that is not the issue. Also this is nit the option the help of the ISP they don't help and like you saw, just to give us 2 DNS addresses took more than 5 months. Any way to protect the server or to delineate this? Each time the server is going down than up. Weekends is ok there is more time up but is horrible because the users navigate and is crashing it time. Also we have directed to the IPs there a lot of licenses and developing hard to change, it took us several years. The server is online and we use rdp to connect to it. Several years agi more than 6 years ago someone tried to hack us but we changed the default port of the rdp and problem solved during the years until last months we have this big problem because now there are disconnects is a big problem. What could be then the solution for the disconnects and also how you can use something to protect and eradicate something?
 
Well the question is why is this computer exposed to the internet? It should be behind a firewall.
 
You should buy a enterprise grade firewall they block a lot more than just stateful connections, but also do AV scanning and you can also setup VPN access which would be a lot more secure for accessing the server. Windows Firewall is ok only as a host based firewall. No one should be using it as a perimeter firewall.
 
Like which? Remember the ISP just give us access to the server via rdp nothing else, they don’t give us KVM nothing. Is supposed they should have that or not? Is rackspace the company.
 
Then you'll need to talk to them about that, or talk to them about setting up a vpn. Having RDP open to the internet is a terrible idea.
 
One question. If we block totally the port 389 TCP and UDP to eradicate temporary, blocking that port will deny us access to rdp?
 
389 is generally reserved for ldap and 3389 is rdp, but yes if you block it out right then no one will be able to connect
 
Just for notes. We could re-enable the server. Yes indeed there are some instances that want it enter the server, but incredible to say, as we have the server, they are not a trouble really, and yes is hard to believe. The real problem was that we downloaded a lot of countries region to block as it says here:


A,so we had a lot of passive ports making thousands of instants in the firewall, then the problem that the firewall is over saturated to process all that rules and that was causing the issue, We deleted thousands of passive ports rules and some countries regions and is running amaIng fast without any trouble. To protect the ISP will put a perimeter firewall and a WAF to avoid exhaust the firewall inside the Windows. I could not believe but when thousands of rules were delete it came to life again. I wanted to explain the solution just in case can work for other person.
 
You must log in or register to reply here.

Similar threads

W
Event ID 1309 ASP.NET 4.0.30319.0 Warning
Replies
5
Views
3K
Neemobeer
Neemobeer
veryeasycomupter
USB Ethernet adapter disconnecting on Windows 11 and DELL Inspiron 5370 2-in-1
Replies
3
Views
4K
ChatGPT
ChatGPT
News
Announcing Windows 11 Insider Preview Build 22621.1037 and 22623.1037
Replies
0
Views
2K
News
News
News
Announcing Windows 11 Insider Preview Build 22621.1028 and 22623.1028
Replies
0
Views
2K
News
News
News
Announcing Windows 11 Insider Preview Build 22621.1020 and 22623.1020
Replies
0
Views
2K
News
News
Back
Top