Results 1 to 6 of 6
  1. #1
    Untanglit
    Join Date
    Apr 2017
    Posts
    29

    Default Intrusion Prevention to block Brute Force Attack???

    I am new to Untangle and inherited it and its configuration. Long story short, I also inherited a Terminal Server that is open to the Internet via port 3389 (I know, bad practice but I inherited it and will change this but not at the moment). Anyway, I notice the event log on the Terminal Server full of failed logons to the administrator account. Once in awhile someone will try a different name but 95% are the administrator account (thankfully that account has a good password). After doing some investigating, nothing was being blocked in the Untangle firewall so I started by blocking traffic from countries outside of the US. That cut down on a lot of the entries but there are still a ton from inside of the US. Trying to block each IP address is like playing Whack A Mole. Will the Intrusion Prevention app prevent these attacks or should I be doing something else? If it will prevent these, could someone provide the basics on how to set it up on a production machine without breaking what is already in place and working? Please let me know if I can provide any other information. Thank you in advance for your help.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    6,480

    Default

    Limit the port forward to only the authorized IP addresses or provide VPN access. Having RDP open to the Internet is a huge security hole in your network.

    Example:

    Port-forward-source-restriction.jpg
    Last edited by jcoffin; 11-20-2017 at 03:56 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,064

    Default

    Having RDP open to the world without two factor to back it up is the fastest way to get crypto'd available.

    If you want to limit logons, your weapon is RDPGuard, a very inexpensive utility that will use the windows firewall to maintain lockouts of bad IP addresses. But I warn you, I STILL GOT CRYPTO'D through that. So now I use RDPGuard AND Duo on any RDP service that needs publicly exposed. Everyone else is VPN.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untanglit
    Join Date
    Apr 2017
    Posts
    29

    Default

    Thank you both for your replies...I apologize for not getting back to you earlier. Since my original post, I've managed to set up an OpenVPN client for myself and successfully connected to my terminal server using OpenVPN. I plan on setting up clients for the other users that have to connect remotely as well. The brute force attacks have also slowed down considerably.

    Now the next steps...

    1. I'd like to block port 3389 from the internet. How do I do this? If I block this port, will that affect the internal users from reaching my Terminal Server? I have another building that connects to the main facility using RDP to that server.

    2. Remember...I'm a newbie...I figured out how to block all the foreign traffic but we have now hired a sales person that will be travelling internationally...mainly China, Japan and France (all countries that are currently blocked). He will be connecting to our Microsoft Dynamics 365 site using his AD authentication. Will he still be able to do this if the firewall is set to block international traffic? If not, is there another way that I can allow him access maybe by MAC address (he will use a company owned laptop).

    Thank you in advance for your help and your patience!!!

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    22,064

    Default

    1.) If you disable the port forward rule, remote users will have to VPN to the network and connect to the internal IP address of the RDP server. Once you do this, the illegal logon attempts will simply halt, because no public access. I have yet to have a single RDP server need any further protection. You're welcome to modify the rule to control access via source address, if you have a remote location with a static you don't want to worry about a VPN for. But as a general rule you don't want any port forwards going to anything. Every forward is another penetration point, and the receiving service has to deal with the abuse of the Internet.

    2.) Geo blocking is useless IMHO. I don't know what rules you've configured, but you may have to play with them to enable access. That being said, the firewall module cannot prevent connections TO Untangle, only connections THROUGH Untangle, so it shouldn't impact the VPN services on Untangle at all. You will however probably need to license Untangle if you haven't already, because then you'll have OpenVPN AND L2TP to work with, and when you've got people moving around abroad, you're going to need both to have the tools to maintain a reliable connection. Sometimes one will work, sometimes the other will work.
    Last edited by sky-knight; 12-12-2017 at 01:42 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untanglit
    Join Date
    Apr 2017
    Posts
    29

    Default

    Thanks Sky-Knight - I found the port forward rule to disable access to 3389 on the Terminal Server. I notice that port 443 is also being forwarded, do I need this?

    I am not opposed to licensing Untangle, I've just been working with it the way I inherited it. I do have OpenVPN installed and configured but not L2TP. The international sales rep will not be using RDP at all, just Dynamics 365 which uses ports 443 and 444 on another server. I suppose I could set him up with OpenVPN and he could connect "internally". Are there any benefits to using L2TP over OpenVPN?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2