Results 1 to 3 of 3
  1. #1
    Newbie
    Join Date
    Apr 2017
    Posts
    12

    Default Intrusion Prevention to block Brute Force Attack???

    I am new to Untangle and inherited it and its configuration. Long story short, I also inherited a Terminal Server that is open to the Internet via port 3389 (I know, bad practice but I inherited it and will change this but not at the moment). Anyway, I notice the event log on the Terminal Server full of failed logons to the administrator account. Once in awhile someone will try a different name but 95% are the administrator account (thankfully that account has a good password). After doing some investigating, nothing was being blocked in the Untangle firewall so I started by blocking traffic from countries outside of the US. That cut down on a lot of the entries but there are still a ton from inside of the US. Trying to block each IP address is like playing Whack A Mole. Will the Intrusion Prevention app prevent these attacks or should I be doing something else? If it will prevent these, could someone provide the basics on how to set it up on a production machine without breaking what is already in place and working? Please let me know if I can provide any other information. Thank you in advance for your help.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    6,210

    Default

    Limit the port forward to only the authorized IP addresses or provide VPN access. Having RDP open to the Internet is a huge security hole in your network.

    Example:

    Port-forward-source-restriction.jpg
    Last edited by jcoffin; 11-20-2017 at 03:56 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,795

    Default

    Having RDP open to the world without two factor to back it up is the fastest way to get crypto'd available.

    If you want to limit logons, your weapon is RDPGuard, a very inexpensive utility that will use the windows firewall to maintain lockouts of bad IP addresses. But I warn you, I STILL GOT CRYPTO'D through that. So now I use RDPGuard AND Duo on any RDP service that needs publicly exposed. Everyone else is VPN.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2