Windows Server 2008 R2 Enterprise Help ( DDOS, Security, Creating Logs ) Related

[PremiumRdp]

Hello,

I am A Rdp Provider.

I have a server with Redstation DC.

From last 5 Days my server is going offline automatically.
I have a KVM ( DRAC Enterprise (Virtual KVM) ) with server

When its going offline .. then i opened kvm and do power off and then again on .

then its again start working. but again after some hours its go back offline.

This is serious issue .. my user will dont like me if this issue i will get more 2 3 days.


When i created ticket to redstation. they telling that server maybe on attack
This is the Reply of Redstation :-

Having investigated this a large volume of login attempts are being show within the windows event viewer which indicates that the server may be under attack but is not a 100% guaranteed diagnosis that this is causing the server to reboot, however it a possible cause as too many login attempts could cause the server to crash.

We have determined that there are no hardware faults so the fault is likely software.
If possible it would be suggested to stop or remove any running tasks on the server to determine if this is being caused by software or services run on the server, or alternatively re-install windows to ensure the OS has not become corrupted.

Update :-

Hello today again it was gone off.

after i logined then checked this.. what it mean ?



So My Question is :-

1. How to check my server is getting DDOS attack ?
2. Is there is any tools which keeps logs of ip etc and speed which is getting any ip. or from any ip .. like a 5 gbps attack from any ip.
3. Is there is any tools to prevent this or any firewall software etc.

 

[rdpzone]

Redstation Sucks :P

Just block ports

 

[PremiumRdp]

Hello rdpzone,

really thanks for reply. can you tell me how to do it ?
give me any tutorial link to follow or please tell me how to do it.

 

[wedge1001]

check your logs yourself and see if there's a specific user that causes this much problems.

you can block access to a port - but not if it's rdp - which i assume.
if it's DDOS you don't really have a chance to stop it.
if it's DOS, block the IP via windows extended firewall. (same thing for the port) but be aware, that you can prevent yourself from loggin in, if you closed the wrong ports ^^

 

[Lock Down]

http://www.hosting.com/support/wind...p-an-ip-security-policy-rule-for-windows-2008

If you have rdp have you thought about restricting access to server via IP addrress only. A little more work for you but might help in the long run.

 

[Chaitan]

Lock down tried same but still no luck.. any others help?

 

[NewEraCracker]

Hello,

Installing pending Windows Updates and tweaking TCP might sort this issue:
http://www.wjunction.com/13-tutorials-guides/148665-windows-tcp-ip-tweaks.html

 

[feronso]

Hi,

Create new Deny subnet rule within firewall. and block the network by adding "63.149.0.0/16" this will sure block the Brute force attack. what i thought is its a Dictionary attack different type of Brute force.