Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Help, Need to block IP in windows server 2003.

[WHU-Mike]

I searched for tutorials within Google and WHT. I haven't found anything that helped.

Issue:
I logged into windows server 2003 today and noticed in "event viewer" that multiple IPs are trying to brute force their way in. This has been going on for days now and I have yet found a good tutorial to help me fight them off.

How can I block these IPs from trying to access my windows 2003 server?
Is there a step-by-step tutorial?
My knowledge on windows is defunct.


I have two IPs that has been trying to enter for over 1 week now...

Please help,
Mike

[boonchuan]

Enable the Windows Firewall, open all the ports you need (Especially the Remote Connection Port).

Once this is done, go to Firewall Setting. Highlight the port you want to limit.

Secondly go to IIS Web Sites, SMTP and FTP, there is a Directory Security, where you can deny access to the IPs.

The firewall allows access to specific range. The IIS can allow or deny access to specific IP range.

[WHU-Mike]

I do not want to limit a port. This server is used for Dedicated games. I do not have SMTP or FTP. I just need to know how to block some random IPs from trying to log in as admin.

How can I access the windows firewall?

[laswatech]

Go to Control panel and you can find windows firewall..

[keserhosting]

Check the below thread. Hope it will help you.

http://www.webhostingtalk.com/showthread.php?t=613759

[m-matt]

I have configured a script to catch those failure event ids with IP address details from event viewer and will be added to IPSec instantly. As far as I know there is no other options. I had same problem on all of my servers. The only disadvantage is we need to schedule the script to run continuously.

[Motiv]

Were you able to block the IP(s) in question?

[m-matt]

attacking IPs will be added to IPSec policy to deny further attempts

firewall is a piece of waste for Windows 2003. Same time IPSec can do more than firewall

[boonchuan]

Might as well get a commercial software firewall to do the job. Simple and can do what you need to do.

[m-matt]

Quote:

Originally Posted by boonchuan

Might as well get a commercial software firewall to do the job. Simple and can do what you need to do.

VERY SURE. I believe visnetic firewall can do it.

Me just configured for my satisfaction, and I know the limitations as well. In my opinion the first step needed to be taken to avoid such attacks is change usual connection port to some higher ports, then monitor it using IPSec or firewall.

[megwa2001]

Ghostwall firewall is free & very lite

[skullbox]

If a hardware firewall is an option, you can pick up some of the older Netscreen 5GTs on ebay. If your server doesn't have more than 10 IPs, you can save even more money buy purchasing one of those.

[spdfox]

I use visnetic or Mcafee Firewall in mys windows servers

[VSilo]

To block an IP in windows you want to use routing and remote access:

First you must shut down and disable Microsoft Windows Firewall.

1. Go to Start >> Administrative Tools >> Services
2. Scroll to the bottom to Windows Firewall/Internet Connection Sharing (ICS)
3. Right click and go to >> Properties
4. Under the General tab choose Startup Type: Disabled
5. Click Stop
6. Once the service is stopped click OK.

Next we begin the process to block/ban an IP.

1. Go to Start >> Administrative Tools >> Routing and Remote Access
2. In the left hand menu you should see directory tree. At the head is Routing and Remote Access and under it is >> Server Status && >> $HOSTNAME (local)
3. Right click on $HOSTNAME (local) and go to >> configure and enable routing and remote access
* If this option is grayed out, skip to step 8 below.
4. A wizard will pop up click Next.
5. Select Custom configuration and click Next.
6. Check NAT and basic firewall and click Next and then click Finish.
7. It will prompt you if you would like to start the service. Click Yes.
8. In the left hand menu under $HOSTNAME (local) go down to General and right click on the interface you want to manage and select Properties.
9. click on Inbound Filters.
10. Click New... Check Source network and enter the I.P. address you would like to ban/block and enter a subnet mask of 255.255.255.255 to block only that I.P. NOTE: If you want to block a specific port, select TCP and fill in the destination port.
11. Click OK. Check the radial Receive all packets except those that meet the criteria below. Click OK.
12. Click OK one last time.

You have successfully now just blocked an ip from accessing your server!

[XFactorServers]

Just restrict RDP by ip. They can't brute force there way in unless they mask your ip as well as brute force..