![]() We have quite a few clients with terminal servers. RDP Guard (mentioned above) is the Windows version of Fail2Ban. I honestly think the only real solution is to move to VPN & RDP or using a RDP Gateway and connecting via HTTPS. As each IP gets blocked after 3 attempts then that's over 1,000 infected computers part of the hackers botnet and attempting logins. So it looks like the hacker changed from using a single IP, getting blocked and moving on to using multiple IP's to login with. ![]() I looked at RDPGuard and it was full of blocked IP's. This worked great for about 25 days and was actually going to purchase the software until last night I had 4,000 attempts. I found some software called RDPGuard so installed a free 30 day trial, it monitors logins and adds a firewall deny rule on the server after x number of failed logins (I set it to 3). We have a strong password policy on the server and make sure it fully patched but it was annoying me getting up to 5,000 login attempts from a single IP every day and our RMM sending an alert. I look after an RDS server that has port 3391 open for RDP. ![]() I know about using a VPN but I'm not too much into letting a non-managed computer enter their network.įunnily enough I was going to post something similar today. Can it come from there? Should I disable OWA?Īlso, what do you guys do to keep your RDP secure and don't get your accounts locked out? Some of them have SBS 2011 with Exchange and OWA. If I unlock a user it would get locked back in less than 1 minute. How do they find the account name to brute force? I mean, they find the admin account and all my clients usernames. The first admin account gets locked but thankfully not my backdoor. What bugs me is that all the servers have the main "administrator" accout disabled and I use another name for the admin account and a "backdoor". Right now, I have changed the ports for some new ones and the attacks seems to have stoped. I always keep the default 3389 port closed and forward different ports like 3399, 3398 etc. All of them had RDP open on their server and some of them on their work computer too. ![]() ![]() I'm pretty sure it's the nasty Cryptolocker and his friends trying to get access inside my clients network to dump their payload. Many of them called me about their account being locked. I don't know about you guys but this week as been the "RDP Brute Force" week for my clients. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |