Most of the time when someone who is not authorized attempts to log on to my Windows 2008 R2 web server, an ip address is displayed.
With the ip address, i can easily block the external host from attempting to log on to my server by setting up a Windows firewall rule.
usually, the Windows Security log shows:
Logon Type: 10
Source Network Address: 52.24.251.116 (example is amazon.com according to ip2location.com)
Sorce Port: 6581 (varies)
example A , with no ip address:
Logon Type: 10
Workstation Name: my workstation name
Source Network Address: 0.0.0.0
Sorce Port: 0
example B , with no ip address:
Logon Type: 3
Workstation Name: CNEU-VIRTUAL (varies)
Account Domain: CNEU-VIRTUAL (varies)
Source Network Address: -
Sorce Port: -
it seems strange to me that an ip address is missing in examples A and B above given that an ip address is essential for TCP/IP AFAIK
according to domaintools.com, CNEU-VIRTUAL .com/.net/org have never been registered.
FWIW, i'm guessing that maybe WireShark might find an associated ip address but that, at least for me, is a lot of work ... even then, i still may not be able to get a missing ip address.
0 Answers