Windows Server 2012 R2 – Firewall Logging for RDP (or any other service!)

Want to restrict a public service in your server ?

Today I’am giving a small tip if your router does not allow access-list, so we will do it at 100% from the server’s side.

Let’s start with an example with RDP.

We start by forwarding the port 3389 to our server. An example below with a small Linksys.

rdp.png

In the Windows Firewall we check if RDP is Allowed and we can click to allow only the specified IP’s range.

rdp2.png

In the screen below we enter the wanted IP’s group. (For me it was my local ISP range (pic source)

rdp4.png

Now the more obscure step, we gonna configure our firewall to log blocked entry. The firewall’s log is found there by default:  %windir%\system32\logfiles\firewall\pfirewall.log.

We execute that query to allow the log be be fill with DROP’ed connection attempt.

netsh advfirewall set allprofiles logging droppedconnections enable

After a while if our rule work correctly, our log should show some blocked attempt.

2016-10-22 10:02:35 DROP TCP 179.43.149.5 192.168.1.10 26286 3389 52 S 2834367233 0 8192 – – – RECEIVE
2016-10-22 11:34:48 DROP TCP 185.93.185.7 192.168.1.10 45610 3389 40 S 3512451859 0 1024 – – – RECEIVE
2016-10-22 11:44:54 DROP TCP 47.18.154.28 192.168.1.10 48447 3389 40 S 763731365 0 1024 – – – RECEIVE
2016-10-22 12:03:24 DROP TCP 171.8.0.87 192.168.1.10 30612 3389 40 S 1989410816 0 16384 – – – RECEIVE
2016-10-22 12:42:31 DROP TCP 104.223.180.20 192.168.1.10 60328 3389 40 S 3936878592 0 16384 – – – RECEIVE
2016-10-22 14:04:36 DROP TCP 183.60.48.25 192.168.1.10 12213 3389 40 S 62195378 0 8192 – – – RECEIVE
2016-10-22 15:02:26 DROP TCP 61.240.144.65 192.168.1.10 42805 3389 40 S 2066287928 0 1024 – – – RECEIVE

At this step if our IP’s range is correctly setupped, we can be more secure on the internet, and don’t worry to see connection attempt, a lot of bot/robot try to scan well know port.

 

Thanks !

 

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s