0

Most of the time when someone who is not authorized attempts to log on to my Windows 2008 R2 web server, an ip address is displayed.

With the ip address, i can easily block the external host from attempting to log on to my server by setting up a Windows firewall rule.

usually, the Windows Security log shows:
Logon Type: 10
Source Network Address: 52.24.251.116 (example is amazon.com according to ip2location.com)
Sorce Port: 6581 (varies)

example A , with no ip address:
Logon Type: 10
Workstation Name: my workstation name
Source Network Address: 0.0.0.0
Sorce Port: 0

example B , with no ip address:
Logon Type: 3
Workstation Name: CNEU-VIRTUAL (varies)
Account Domain: CNEU-VIRTUAL (varies)
Source Network Address: -
Sorce Port: -

it seems strange to me that an ip address is missing in examples A and B above given that an ip address is essential for TCP/IP AFAIK

according to domaintools.com, CNEU-VIRTUAL .com/.net/org have never been registered.

FWIW, i'm guessing that maybe WireShark might find an associated ip address but that, at least for me, is a lot of work ... even then, i still may not be able to get a missing ip address.

gerryLowry
  • 185
  • 3
  • 13
  • Somebody asked a similar question here: http://serverfault.com/questions/399878/security-log-in-event-viewer-does-not-store-ips – Lucky Luke Jun 24 '15 at 17:08
  • Is the server part of a domain, or is it just in a workgroup? – Lucky Luke Jun 27 '15 at 16:02
  • @LuckyLuke for all intents and purposes, it's a workgroup having only a single server, i.e., it's not dependent of AD; it's simply a win2008 R2 web server edition. – gerryLowry Jun 28 '15 at 00:15
  • @LuckyLuke the question you mention does have some similarities however it does not seem to answer my question (although i'm still thinking it through and also following its associated sub-links). at this point, i'm guessing that i may be forced to write some non-trivial code to locate an ip address buried in WireShark output; at the moment, my current ideas are admittedly very kludgey. i appreciate the link. thnx – gerryLowry Jun 28 '15 at 00:23

0 Answers0