I spent the majority of last night monitoring the server box (colo4) and found whet I believe is the issue with the box.
While watching the CPU usage I noticed (as before) multiple CSRSS.exe and Winlogin.exe processes running. As these processes increased the CPU usage would rise and at one point the box had 8 CSRSS.exe and associated Winlogon.exe processes running using at times 100% of the CPU.
I opened Terminal Services Manager and found what appeared to be an attack on the RDP-tcp connection (Remote Desktop Connection). While monitoring the terminal for about 10 minutes there were over 2000 hits on the port.
As a temporary solution I have enabled the windows firewall with only colo admin's current IP addresses to have access. This has brought CPU usage down to a flat 2-4% usage. I know this is not a long term fix so I'm asking all you network junkies out there to help me with a long term solution. I have heard that a common method to combat this is to run Remote Desktop Connection on the server through a VPN, but I'm unsure how this will affect the other connections on the server.
Right now Teamspeak works fine as well as the game server and redirection. I am having an issue however on allowing FTP connections to the servers through the current firewall. No FTP connectivity is avialable until this is resolved.
If you have any ideas (It's Windows Server 2003) please let me know.
I'd also like if you guys could pile in the server sometime in the near future and test out if the issue is resolved.
While watching the CPU usage I noticed (as before) multiple CSRSS.exe and Winlogin.exe processes running. As these processes increased the CPU usage would rise and at one point the box had 8 CSRSS.exe and associated Winlogon.exe processes running using at times 100% of the CPU.
I opened Terminal Services Manager and found what appeared to be an attack on the RDP-tcp connection (Remote Desktop Connection). While monitoring the terminal for about 10 minutes there were over 2000 hits on the port.
As a temporary solution I have enabled the windows firewall with only colo admin's current IP addresses to have access. This has brought CPU usage down to a flat 2-4% usage. I know this is not a long term fix so I'm asking all you network junkies out there to help me with a long term solution. I have heard that a common method to combat this is to run Remote Desktop Connection on the server through a VPN, but I'm unsure how this will affect the other connections on the server.
Right now Teamspeak works fine as well as the game server and redirection. I am having an issue however on allowing FTP connections to the servers through the current firewall. No FTP connectivity is avialable until this is resolved.
If you have any ideas (It's Windows Server 2003) please let me know.
I'd also like if you guys could pile in the server sometime in the near future and test out if the issue is resolved.
Comment