About a week ago we moved the application from one server to another (from Windows Server 2008 to Windows Server 2008 R2, different DCs, but same company). There are 12 websites on this server, but they're all very low traffic sites (<200 hits per day).
Ever since we moved I noticed that the security log under Events -> Windows Logs -> Security is filled with packet drops. Most are trying to access port 25, 17, or some seemingly random port > 1024; it's rather spread out. Some come from reputable companies like Constant Contact (IP 208.75.123.132 for example), some from companies I personally didn't hear about, like Cogento 38.96.220.83, but that seem reputable. There are of course random IPs that don't point to anything in particular. All these ports are blocked and/or not used.
There are so many of these entries (about one or two per second on a guestimated average) that the log fills up in about a day and half. With the previous server, hosting the same sites, I could go back over two months.
Did I inherit (with the move) an IP that was used for who-knows-what and now all these services are connecting to me expecting the old services, or is there something else going on?
Any thoughts? Thanks!
EDIT: I should have mentioned this, the entries in the event logs are all "Event 5152 - The Windows Filtering Platform has blocked a packet."
EDIT2: Here's an article that touches on exactly the same problem I experienced. The important piece is to disable the auditing of dropped packets using auditpol, but also that it takes quite a bit of time until you get to see it work, unless you reboot immediately. I'm not sure why it works this way, but it definitely threw me off.
EDIT3: What the article leaves out, for Windows 7 / Server 2008 R2, you need to go to Local Security Policy -> Local Policies -> Security Options -> and enable "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." By default it should be enabled, but in my case the "not defined" option didn't work, I had to manually enable it; more information here. A restart is required.
Have you seen this article?
The Windows Filtering Platform has blocked a packet
or I just found this paragraph
you should also be blocking all but port 80,443 through your firewall :)
Welcome to the internet, probably your ip is in a range of known high speed computers with a very nice network setup. You get scanned and tried out. I had the same on one of my servers, can't do much against it, normally when the potential hackers see there is no response, they give up after a while.
You can always try to actively reject instead of dropping, see if it helps.