Hello we have a Windows Server 2008 R2 with SQL Server 2008 R2. We have. months having disconnections during certain hours, We called the ISP and since they changed the administration some problems began to occur, We used for example a primary DNS and Secondary addresses that were provided to us when we made contract with that company. Then after they changed administration they stopped working and during months we could not solve they give us new ones. Well that were not the problem really, the problem is we have disconnections and a strange unlimited number of events in the event viewer. We have months that the server is down for 10 minutes, 30 minutes, 1 minute in general is random and at certain hours. The events the 5156 and 5157 to the lsass.exe and come from China, and other parts of the world. The events are similar to this one (I deleted xxx the address of our server):
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 1000
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 208.96.30.116
Source Port: 389
Destination Address: 222.186.151.237
Destination Port: 16516
Protocol: 17
Filter Information:
Filter Run-Time ID: 1660031
Layer Name: Receive/Accept
Layer Run-Time ID: 44
and this one:
The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1000
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 208.96.30.116
Source Port: 389
Destination Address: 24.167.51.62
Destination Port: 6865
Protocol: 17
Filter Information:
Filter Run-Time ID: 1717210
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Is supposed the ISP told us is nit the hardware because they checked but what could be causing the issue? Or how you make to filter that locations, because maybe someone is trying ti hack the server? The option is not format and clean image we did one time and that is not the issue. Also this is nit the option the help of the ISP they don't help and like you saw, just to give us 2 DNS addresses took more than 5 months. Any way to protect the server or to delineate this? Each time the server is going down than up. Weekends is ok there is more time up but is horrible because the users navigate and is crashing it time. Also we have directed to the IPs there a lot of licenses and developing hard to change, it took us several years. The server is online and we use rdp to connect to it. Several years agi more than 6 years ago someone tried to hack us but we changed the default port of the rdp and problem solved during the years until last months we have this big problem because now there are disconnects is a big problem. What could be then the solution for the disconnects and also how you can use something to protect and eradicate something?
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 1000
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 208.96.30.116
Source Port: 389
Destination Address: 222.186.151.237
Destination Port: 16516
Protocol: 17
Filter Information:
Filter Run-Time ID: 1660031
Layer Name: Receive/Accept
Layer Run-Time ID: 44
and this one:
The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1000
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 208.96.30.116
Source Port: 389
Destination Address: 24.167.51.62
Destination Port: 6865
Protocol: 17
Filter Information:
Filter Run-Time ID: 1717210
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Is supposed the ISP told us is nit the hardware because they checked but what could be causing the issue? Or how you make to filter that locations, because maybe someone is trying ti hack the server? The option is not format and clean image we did one time and that is not the issue. Also this is nit the option the help of the ISP they don't help and like you saw, just to give us 2 DNS addresses took more than 5 months. Any way to protect the server or to delineate this? Each time the server is going down than up. Weekends is ok there is more time up but is horrible because the users navigate and is crashing it time. Also we have directed to the IPs there a lot of licenses and developing hard to change, it took us several years. The server is online and we use rdp to connect to it. Several years agi more than 6 years ago someone tried to hack us but we changed the default port of the rdp and problem solved during the years until last months we have this big problem because now there are disconnects is a big problem. What could be then the solution for the disconnects and also how you can use something to protect and eradicate something?