All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Weird, concerning "established" connections on RDP port to Russia
DeadlyChemist
Member
First of all, what the actual fuck
intro out of the way, i was building an app for my windows 2022 server hosted in the cloud by a hosting company.
The app is basically a monitoring tool that allows me to check if someone connects/disconnects to my server. it tracks the connection to RDP using following command netstat -n | findstr ':3389' | findstr 'ESTABLISHED'
the command is substituted with something else but whatever.
here is the output of this command:
TCP my_server_ip:3389 195.226.194.30:7927 ESTABLISHED
TCP my_server_ip:3389 195.226.194.32:1775 ESTABLISHED
TCP my_server_ip:3389 195.226.194.34:42754 ESTABLISHED
TCP my_server_ip:3389 195.226.194.34:45024 ESTABLISHED
TCP my_server_ip:3389 195.226.194.34:45492 ESTABLISHED
TCP my_server_ip:3389 195.226.194.35:28821 ESTABLISHED
TCP my_server_ip:3389 195.226.194.61:34326 ESTABLISHED
TCP my_server_ip:3389 195.226.194.62:54148 ESTABLISHED
TCP my_server_ip:3389 195.226.194.65:29606 ESTABLISHED
TCP my_server_ip:3389 195.226.194.65:31206 ESTABLISHED
TCP my_server_ip:3389 195.226.194.68:13096 ESTABLISHED
TCP my_server_ip:3389 my_pc_ip:49337 ESTABLISHED
so what is 195.226.194.* ?
it says established connection 
if I close my connection and rerun the command, my connection is gone but the other connections are still present? what the...
so I tried changing password and rebooting, connections still there.
I also did some digging and got this:
Im a bit terrified considering the server has a lot of documents, password manager etc. the password is long and files are partially encrypted/require password to open. but if someone is looking at my screen 24/7 that does not help at all.
Did the hosting company give me shit image? what is actually going on.
for reference, i tried that command on my windows 10 pc and the output is nothing or 1 connection as expected...
Please help !
Comments
Established just means it’s connected, not logged in.
quserwill tell you who’s actually logged on.Just change the port and/or setup allowed IPs.
sure, but it does not tell me the IP
now another question, can i kill the connection without logging the user out?
so i shouldn't worry, it's just some kiddy trying passwords?
>
Even if its a kiddy trying passwords out, my advice is to always limit it to the outside world. like @DP said, either change the RDP port and/or setup allowed IPs, especially since you are saying that the server has some sensitive content on it.
hm, i'd go with whitelist but not sure how to make the whitelist update in windows defender. since my ip's change, work, school, phone, etc might look into it
is there a good way to check which ip is logged in?
that would help me more to be honest
why not restrict that port to your country only? I don't know if thats a thing in win servers. I used to use CSF to restrict ports to my country ip addresses.
not sure what's that
if the windows doc would be less shit i could just make a list of ip's thats dynamically updated or something
not sure, but i do want some 2fa (hidden is fine) way to log in
configserver firewall = csf.
idk bout windows honestly, try looking for any powershell scripts online
https://lowendbox.com/blog/how-to-change-rdp-port-on-a-windows-vps/#:~:text=1 Log into your Windows VPS via the,port to, and then click OK. More items