Proper rule to create

Peter_1985 2,526 Reputation points
2021-04-08T13:01:03.037+00:00

Hi,
I have already created rule below

netsh advfirewall firewall add rule name="NETRule8/04/2021 14:16:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but such IP 5.188.206.246 is still creating bad activities on Email server like

2021-04-08 20:21:14 htwnmmiqwvpt@ump.gwdg.de operations@my???????.?? 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-08 20:21:38 qplaiebpykgy@ump.gwdg.de oyqjaafslj@my???????.?? 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-08 20:51:00 vzumobgvjdb@lighthouseapostolicchurch.net acnfrkbnwx@my???????.?? 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to protect the server well?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,383 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,185 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
516 questions
0 comments
Accepted answer
  1. Sunny Qi 10,906 Reputation points Microsoft Vendor
    2021-04-15T09:11:38.127+00:00

    Hi,

    Thanks for your feedback.

    I understand the rule is actually configured for domain, private and public profiles. If you want to check whether this rule is taking effect in our firewall, we need check firewall log, and the firewall log need be enabled for domain, private and public profiles separately. I noticed that the firewall for domain profile in your environment has been disabled, so you need enable firewall log for private and public profiles for checking.

    As for there are so many traffic from 5.188.xxx.xxx were triggered, it's an expected behavior. Please allow me explain an similar example for you to explain the workflow of windows firewall. For example, you have a friend who is the person you don't like, but he/her wants to contact you by sending letter to you. You don't know when will he/her send this letter to you, you can receive his/her letter anyhow, however, when you received this letter, you have the right to reject this letter or return it to sender.

    Meanwhile, based on my research, is it possible that these IP address are belongs to mail servers? You could try to add these IP to black list to see if the issue can be resolved.

    Hope my answer will help you. Thank you for your understanding.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

28 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sunny Qi 10,906 Reputation points Microsoft Vendor
    2021-04-09T06:06:21.937+00:00

    Hi,

    Thanks for posting in Q&A platform.

    My understanding is you have blocked traffic from remote IP from 5.188.1.1 to 5.188.255.255 by adding new rule in Inbound Rules of Windows Defender Firewall with Advanced Security. Please correct me if my understanding is wrong.

    When a data packet arrives at the server from the external network, the Windows Defender Firewall with Advanced Security will check the data packet and determines whether it complies with the inbound rules specified in the firewall rules. If the data packet matches the "Access Control" inbound rule in the rule, the Windows Defender Firewall with Advanced Security will perform the operation specified in it----block the connection or allow the connection. If the packet does not match the "Access Control" inbound rule in the rule, the Windows Firewall will discards the packet and creates an entry in the firewall log file.

    You could enable the firewall log to check if the traffic from the specific IP has been dropped by firewall.

    86133-image-3.png

    86151-image-4.png

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Peter_1985 2,526 Reputation points
    2021-04-09T07:55:44.67+00:00

    Hi,
    How to get into that option below (per your advice)?
    86175-f.png

    0 comments
  3. Sunny Qi 10,906 Reputation points Microsoft Vendor
    2021-04-09T08:49:11.997+00:00

    Hi,

    Please open and right click Windows Defender Firewall with Advanced Security, select Properties.

    86222-image-5.png

    Then, under each Profile, please click Customize and enable Log dropped packets and click OK to enable the firewall log. Please kindly note that the default path for the log file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log.

    86214-image.png

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Peter_1985 2,526 Reputation points
    2021-04-09T09:42:33.557+00:00

    Hi,
    Can you share with screenshot for way to access "Windows Defender Firewall with Advanced Security"?

    0 comments