Blocking Brute Force Attempts

[rebus9]

Quote:

Originally Posted by Mathiau

guess there are more and more script kiddies around these days then or i guess with the massive amounts of bandwidth available it is much faster.

Botnets make full-range port scanning of large networks trivial.

[rebus9]

Quote:

Originally Posted by sky-knight

If this question is based on terminal services, the built in account lockout policies on Windows server perform this function.

The lockout policy locks the account being attacked, but it does not prevent the attacker from connecting and throwing credentials at the machine.

Quote:

Originally Posted by sky-knight

I'm unsure if there is an IP level protection system in place. I can't imagine that not being there somewhere. I've never tried.

Sadly, that does not exist. A source IP address can hammer away on an RDP server for hours at multimegabit levels and not get auto-banned. It's a glaring security omission, but not surprising since Microsoft doesn't include an auto-ban feature in any network service. (although IMO it's badly needed)

[raditude]

I have read POC's how hackers are leveraging even Amazon's E3 service in brute force attacks, and how for very minimal costs they can harness amazing bandwidth and power to run these types of attacks.

I agree that a feature that would allow auto-banning would be fantastic, although like anything there runs a risk of false positives.

[sky-knight]

Quote:

Originally Posted by rebus9

The lockout policy locks the account being attacked, but it does not prevent the attacker from connecting and throwing credentials at the machine.


Sadly, that does not exist. A source IP address can hammer away on an RDP server for hours at multimegabit levels and not get auto-banned. It's a glaring security omission, but not surprising since Microsoft doesn't include an auto-ban feature in any network service. (although IMO it's badly needed)

I agree, some basic Googling reveals that Microsoft considers RDP over VPN to be the best practice.

The new 2008 terminal services has certificate level control you can add to the clients and servers. But who's going to buy a certificate for each machine? And / Or maintaining your own certificate authority. Why? Because the service is too stupid to go... hey w.x.y.z has failed 10 auth attempts in the last 2 seconds... I should start ignoring it now.

I've seen references to people using VBScript to parse the event log for failed auth attempts, track IP addresses, and configure null routes as needed.

[bluey11]

I need help against a brute force RDP attack on my server

This post....

"Blocking the source IP if... say... 5 new connection attempts are made within 60 seconds would stop the current RDP password-guessing attacks dead in their tracks."

this is exactly what i want to do, but are you refering to a ploicy setting or a firewall setting in Untangle?

im a bit of a noob so could you please point me in the right direction to getting this setup?

thanks Guys!!!

[sky-knight]

If you read the thread, you would have discovered that there is nothing that does this.

Microsoft says, deploy RDP behind a VPN.

I wish you luck.

[7echno7im]

Fail2ban is great, I used it on a prior firewall.

[rebus9]

Quote:

Originally Posted by bluey11

I need help against a brute force RDP attack on my server

This post....

"Blocking the source IP if... say... 5 new connection attempts are made within 60 seconds would stop the current RDP password-guessing attacks dead in their tracks."

this is exactly what i want to do, but are you refering to a ploicy setting or a firewall setting in Untangle?

Neither. It's a feature request I made for the Untangle IPS module some time ago.

[rebus9]

Quote:

Originally Posted by 7echno7im

Fail2ban is great, I used it on a prior firewall.

If you'd read this thread, you'd know it was discussing exposed Windows services.

Fail2ban is for *nix, not Windows.

[sky-knight]

In theory, if you could figure out a way to get Fail2Ban to interpret the windows event log, you could get it to autoban IP addresses for RDP just like anything else.