Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsMicrosoft WindowsLogging traffic/connections on Windows Server 2012 R2
tardtasticx

3075 posts

Uber Geek


#183725 27-Oct-2015 21:32
Send private message

Hi All, hoping someone can shed some light on what I assumed would be a relatively easy task (but has so far proved anything but!)

I need to get some sort of logging of traffic/requests to a server we have setup, it just needs the IP address and Time, nothing terribly fancy. 

The server we've got setup is running on Amazon AWS in Sydney, an EC2 instance. Running on it is the server side Java application for a uni project, a Tomcat server and a MySQL server. It's not a production server for a company or anything, so I'm not really concerned it just obviously isn't great having random people trying to connect. We keep seeing login requests/attempts for the Tomcat server using root, tomcat, admin etc as usernames but it doesn't provide anything useful other than that. 

Was hoping that if we could find the IPs trying to login, I could add them to a rule in the Windows firewall and block them. My original idea was to do it via the EC2 console, but it has a default rule of block every port and IP, where you have to specify addresses/ports to allow. This wouldn't work as the 3 of us in our project team have dynamic IPs at home, so it would be really tricky to keep up with. 

If theres another solution I'm missing I'd really appreciate it :)
This goes a little bit beyond what I was taught in my classes so I'm kind of out of my depth but really want to learn. The only time we went into the firewall settings in class was to turn it off completely, that is not gonna happen obviously.


Thanks in advance!
_Sam

Create new topic

This is a filtered page: currently showing replies marked as answers. Click here to see full discussion.

tardtasticx

3075 posts

Uber Geek


  #1415158 28-Oct-2015 02:56
Send private message

Whoah what a night.

So, I figured out what I was doing wrong. I was setting up logging for traffic only on domain networks rather than public. And since it's not connected to a domain it wasn't generating any results. Problem solved!

Now for the juicy details about how I stuffed it all up :)

 

  • Left server running and waited for random to try log in (Figured it's automated because they done 20 attempts in the space of 4 seconds using just 3 usernames, none of which existed). 
  • Checked log, cross referenced the timestamp and got their IP. RESULT!
  • Made a new firewall rule to block all traffic to that IP. Got super confident because I figured out my original problem and just skip through the steps. Hit save, system locks up. Realised the second my mouse stopped moving that I'd never entered the IP address, and must have selected the wrong option and blocked ALL traffic on ANY port including RDP. Since this was hosted on AWS I didn't have access to the server physically, and locked my dumba$$ out.


For future reference incase anyone is as dumb as I was (but highly likely tbh) or I repeat the same mistake tomorrow:

 

     

  1. Shutdown instance 1 and detach root volume 1 (through Management Console) or AWS CLI :

     

       

    1. http://docs.aws.amazon.com/cli/latest/userguide/installing.html
    2. Detach: http://docs.aws.amazon.com/cli/latest/reference/ec2/detach-volume.html?highlight=detach%20volume
    3. Attach: http://docs.aws.amazon.com/cli/latest/reference/ec2/attach-volume.html?highlight=attach%20volume

     

  2. Follow instructions from here: http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/troubleshooting-windows-instances.html#rdp-issues

     

       

    1. I found I had to disable the keys mentioned in the guide as well as defaultoutboundrule or something as well, which was set at 1 and wouldn't work until I changed to 0. 

     

 

Assuming everything went okay, once you reattach volume 1 to instance 1, everything should be good to go. Now go back to where we were before and setup the firewall rule properly!

Create new topic





News and reviews »

Gen Threat Report Reveals Rise in Crypto, Sextortion and Tech Support Scams
Posted 7-Aug-2025 13:09

Logitech G and McLaren Racing Sign New, Expanded Multi-Year Partnership
Posted 7-Aug-2025 13:00

A Third of New Zealanders Fall for Online Scams Says Trend Micro
Posted 7-Aug-2025 12:43

OPPO Releases Its Most Stylish and Compact Smartwatch Yet, the Watch X2 Mini.
Posted 7-Aug-2025 12:37

Epson Launches New High-End EH-LS9000B Home Theatre Laser Projector
Posted 7-Aug-2025 12:34

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright