To check the connections on windows server and block the attacker IP in windows firewall

You need to log on to server and open the command prompt by following the below steps:

Start–> Run–> Type CMD and then Enter

C:\Users\Administrator>netstat -ano | more

This command can have more options. If you want the only output of the port 80 then you can use the command like –>netstat -ano | find  /i “:443” .

It will show the output like:

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 6508
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 780
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 6508
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING 1228
TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING 1228
TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING 1228
TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING 1228
TCP 127.0.0.1:12465 0.0.0.0:0 LISTENING 1228
TCP 127.0.0.1:12563 0.0.0.0:0 LISTENING 1228
TCP 127.0.0.1:12993 0.0.0.0:0 LISTENING 1228
TCP 127.0.0.1:12995 0.0.0.0:0 LISTENING 1228
TCP 127.0.0.1:27275 0.0.0.0:0 LISTENING 1228
TCP 192.168.1.20:139 0.0.0.0:0 LISTENING 4
TCP 192.168.1.20:49288 192.168.1.58:445 ESTABLISHED 4
TCP 192.168.1.20:50498 195.154.169.46:80 ESTABLISHED 2812
TCP 192.168.1.20:50516 8.12.5.89:443 ESTABLISHED 4320
TCP 192.168.1.20:50920 216.39.55.13:443 CLOSE_WAIT 2812
TCP 192.168.1.20:51127 132.245.64.82:443 ESTABLISHED 5772
TCP 192.168.1.20:51129 132.245.64.82:443 ESTABLISHED 5772
TCP 192.168.1.20:51145 132.245.64.82:443 ESTABLISHED 5772
TCP 192.168.1.20:51146 132.245.64.82:443 ESTABLISHED 5772
TCP 192.168.1.20:51207 23.46.5.231:80 ESTABLISHED 2812
TCP 192.168.1.20:51773 74.213.145.121:443 ESTABLISHED 6376
TCP 192.168.1.20:52047 216.39.55.12:443 CLOSE_WAIT 6508
TCP 192.168.1.20:52113 184.27.22.227:80 ESTABLISHED 6508
TCP 192.168.1.20:52157 103.243.222.103:80 CLOSE_WAIT 2812
TCP 192.168.1.20:52225 103.243.222.105:80 ESTABLISHED 6508
TCP 192.168.1.20:52265 103.243.222.49:80 CLOSE_WAIT 2812
TCP 192.168.1.20:52483 103.243.222.11:80 CLOSE_WAIT 6508
TCP 192.168.1.20:52515 207.46.101.12:443 ESTABLISHED 6508
TCP 192.168.1.20:52558 207.46.11.152:443 ESTABLISHED 2812
TCP 192.168.1.20:52757 181.224.157.23:80 ESTABLISHED 6376
TCP 192.168.1.20:52796 8.12.5.89:443 FIN_WAIT_2 2900
TCP 192.168.1.20:52797 8.12.5.89:443 FIN_WAIT_2 2900
TCP 192.168.1.20:52798 8.12.5.89:443 FIN_WAIT_2 2900
TCP 192.168.1.20:52799 8.12.5.89:443 FIN_WAIT_2 2900
TCP 192.168.1.20:52800 8.12.5.89:443 FIN_WAIT_2 2900
TCP 192.168.1.20:52801 192.161.148.134:443 ESTABLISHED 6376

Enter key will show you the out one by one connection and Space key will show output page by page.

The First Column is for the Protocol on which your system has, or trying to make, the connection with client. It may be TCP or UDP.

The Second Column is for the Server ip itself with port number.

The Third Column is for the Remote address with remote port number.

The Fourth Column is for the state of the connection, it can be  LISTENING,ESTABLISHED,CLOSE_WAIT,FIN_WAIT,LAST_ACK, TIME_WAIT and SYN_RECEIVED. If your server has more connections with state SYN_RECEIVED then it may be your server is under SYN_RECEIVED attacks.

Then your need to note that ip and block it in server firewall or hardware firewall.

For windows firewall, Kindly follow the same steps as below:

Open the windows firewall by using the command:

C:\Users\Administrator>firewall.cpl windows firewall

C:\Users\Administrator>wf.msc  for windows firewall with advanced security

Then you need to create a Block INBOUND Rules.

Right click on INBOUND Rules–> New Rule–> Rule type Port–>Protocol and ports select TCP/UDP and select the specific port for your want to block the connection.

Action can be allow, allow if it is secure and Block. You need to select the allow the connection for now we will change it later to Block. Then select the profile like domain, Private and Public on which you want to apply the rule Then type the name of the rule. The rule is created but you need to modify the rule for the specific ip.

Open the property of the rule then select the scope option and add the attacker ip in remote ip and change the action to block.

This rule will block the connection for specific ip and port.

Thanks

Shishupal Singh Chahar