question

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 asked SunnyQi-MSFT commented

Proper rule to create

Hi,
I have already created rule below

netsh advfirewall firewall add rule name="NETRule8/04/2021 14:16:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but such IP 5.188.206.246 is still creating bad activities on Email server like

2021-04-08 20:21:14 htwnmmiqwvpt@ump.gwdg.de operations@my???????.?? 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-08 20:21:38 qplaiebpykgy@ump.gwdg.de oyqjaafslj@my???????.?? 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-08 20:51:00 vzumobgvjdb@lighthouseapostolicchurch.net acnfrkbnwx@my???????.?? 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to protect the server well?


windows-serverwindows-server-2016windows-server-infrastructure
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thanks for your feedback.

I understand the rule is actually configured for domain, private and public profiles. If you want to check whether this rule is taking effect in our firewall, we need check firewall log, and the firewall log need be enabled for domain, private and public profiles separately. I noticed that the firewall for domain profile in your environment has been disabled, so you need enable firewall log for private and public profiles for checking.

As for there are so many traffic from 5.188.xxx.xxx were triggered, it's an expected behavior. Please allow me explain an similar example for you to explain the workflow of windows firewall. For example, you have a friend who is the person you don't like, but he/her wants to contact you by sending letter to you. You don't know when will he/her send this letter to you, you can receive his/her letter anyhow, however, when you received this letter, you have the right to reject this letter or return it to sender.

Meanwhile, based on my research, is it possible that these IP address are belongs to mail servers? You could try to add these IP to black list to see if the issue can be resolved.

Hope my answer will help you. Thank you for your understanding.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thanks for posting in Q&A platform.

My understanding is you have blocked traffic from remote IP from 5.188.1.1 to 5.188.255.255 by adding new rule in Inbound Rules of Windows Defender Firewall with Advanced Security. Please correct me if my understanding is wrong.

When a data packet arrives at the server from the external network, the Windows Defender Firewall with Advanced Security will check the data packet and determines whether it complies with the inbound rules specified in the firewall rules. If the data packet matches the "Access Control" inbound rule in the rule, the Windows Defender Firewall with Advanced Security will perform the operation specified in it----block the connection or allow the connection. If the packet does not match the "Access Control" inbound rule in the rule, the Windows Firewall will discards the packet and creates an entry in the firewall log file.

You could enable the firewall log to check if the traffic from the specific IP has been dropped by firewall.

86133-image-3.png

86151-image-4.png

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-3.png (55.1 KiB)
image-4.png (48.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered

Hi,
How to get into that option below (per your advice)?
86175-f.png



f.png (16.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Please open and right click Windows Defender Firewall with Advanced Security, select Properties.

86222-image-5.png

Then, under each Profile, please click Customize and enable Log dropped packets and click OK to enable the firewall log. Please kindly note that the default path for the log file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log.

86214-image.png

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-5.png (31.1 KiB)
image.png (82.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered

Hi,
Can you share with screenshot for way to access "Windows Defender Firewall with Advanced Security"?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

You could click Start and type Windows Defender Firewall, and then please select Windows Defender Firewall with Advanced Security.

86233-image-7.png

Or you could click Start, locate to Windows Administrative Tools and expand it, scroll down and you could find Windows Defender Firewall with Advance Security.

86257-image-8.png

86207-image-9.png

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-7.png (105.1 KiB)
image-8.png (264.5 KiB)
image-9.png (272.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered SunnyQi-MSFT commented

Should I add relevant feature (to server) below?
86259-g.png



g.png (62.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

No, Windows Defender Firewall with Advanced Security is enough.

Best Regards,
Sunny

0 Votes 0 ·
Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
After we have put Yes to Log dropped packets, when will we see details in relevant log file (which is the following file, and is having 0 size)?

%systemroot%\system32\LogFiles\Firewall\pfirewall.log

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry for the late reply since I was out off office on Monday. Regarding of your question, the answer is yes. When you enable the log dropped packets, you will see detailed information like the following attached screenshot.

87135-image.png


0 Votes 0 ·
image.png (62.4 KiB)

Hi,
There is rule (created within server) like

netsh advfirewall firewall add rule name="NETRule8/04/2021 17:55:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but there is many tryouts (hundreds of similar lines) by that IP like

2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it tyler@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it dale@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it catherine@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it jonas@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it megan@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it roy@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to stop it?

0 Votes 0 ·

Hi,
There is rule (created within server) like

netsh advfirewall firewall add rule name="NETRule8/04/2021 17:55:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but there is many tryouts (hundreds of similar lines) by that IP like

2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it tyler@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it dale@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it catherine@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it jonas@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it megan@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it roy@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to stop it?

0 Votes 0 ·
Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
There is rule (created within server) like

netsh advfirewall firewall add rule name="NETRule8/04/2021 17:55:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but there is many tryouts (in hundreds) by that IP like

2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it tyler@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it dale@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it catherine@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it jonas@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it megan@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it roy@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to stop it thoroughly?




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
There is rule (created within server) like

netsh advfirewall firewall add rule name="NETRule8/04/2021 17:55:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but there is many tryouts (hundreds of similar lines) by that IP like

2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it tyler@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it dale@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it catherine@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it jonas@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it megan@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it roy@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to stop it?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.