Results 1 to 8 of 8
  1. #1
    Newbie
    Join Date
    Jun 2021
    Posts
    5

    Default "Suspicious Activity: Client created many RDP sessions"

    I am hoping someone here can give us some insight as to what is going on with this event warning. It appears to be warning us of excessive RDP connections coming from PCs-iPhone which is strange because it is my iphone which I use on this network. We use RDP and need to have the port open. We are using OpenVPN for our VPN'ing into our network. It appears from this warning that the inbound connections are coming from other countries like Bolivia, Russia, Netherlands. We keep getting these messages ever few days from various countries. What's going on here and how should we resolve this? We are running an Untangle Z4 firewall appliance.

    Thanks,
    Phong
    ======================================

    Event: SessionEvent

    Event Time: 2021-06-16 02:16:10.167.

    Event Summary:
    Session [TCP] 24.178.92.20:50350 -> 192.168.1.112:3389

    Event Details:
    bypassed = false
    c client addr = 24.178.92.20
    c client port = 50350
    c server addr = 192.168.254.218
    c server port = 3389
    client country = US
    client intf = 2
    client latitude = 32.5484
    client longitude = -85.4682
    entitled = true
    hostname = PCs-iPhone
    local addr = 192.168.1.112
    policy id = 1
    policy rule id = 0
    protocol = 6
    protocol name = TCP
    remote addr = 24.178.92.20
    s client addr = 24.178.92.20
    s client port = 50350
    s server addr = 192.168.1.112
    s server port = 3389
    server country = XL
    server intf = 1
    session id = 106228888114245
    tags string =
    time stamp = 2021-06-16 02:16:10.167

    This is an automated message sent because this event matched Alerts Rule "Suspicious Activity: Client created many RDP sessions".

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,024

    Default

    Expose 3389 to the world at your own peril.

    End the port forward, use VPN. OR install something like DUO to protect it with MFA. Fail to do either, and accept the inevitable downtime when you get breached, crypto'd, and otherwise brought to your digital knees.

    The notification is telling you what you should already know, the enemy is at the gates. It's time to defend yourself.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler TirsoJRP's Avatar
    Join Date
    Oct 2010
    Posts
    459

    Default

    False, you don't need to open ports for RDP. If you already have OpenVPN you don't need port forward.

    Getting attacks on RDP is not strange, it's expected.

    Opening RDP to the Internet is insane. I once left a server SSH open and got [gigabytes] of failed log attempts, that's how it is. I bet you have a lot of failed logins in that machine, check your logs.

  4. #4
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,364

    Default

    Best answer: use vpn, then rdp over the vpn
    If you cant disable rdp listening, can reduce the surface attack: change the port from 3389 to other very high, and create a block rule to block in firewall app permit only this port from source address of your country. Is the perfect solution, of course not, but allow a better sleep
    The world is divided into 10 kinds of people, who know binary and those not

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,024

    Default

    Changing the port doesn't help, it's a TCP scan (10ms) away from detection and the bots are right back at it.

    Zero Trust, it means you don't let untrusted things even connect. The VPN server is designed to handle the attack, let it...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Jun 2021
    Posts
    5

    Default

    Thanks for all the great feedback. I understand there is no need to keep port 3389 open if we're using OpenVPN through the Untangle Z4 box. I have disabled that RDP port number on our modem's firewall/port forwarding settings. Hopefully, the warnings will now stop. I will be back if it doesn't...

  7. #7
    Newbie
    Join Date
    Jun 2021
    Posts
    5

    Default

    I quick question though, why does the report show: hostname = PCs-iPhone
    which is my iphone, this part doesn't make sense to me.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,024

    Default

    hostname = PCs-iPhone
    local addr = 192.168.1.112

    192.168.1.112 is reverse resolving to that name. There are a ton of reasons for that to happen, but you can start by fixing the hostname so that it shows correctly on the host tab in Untangle's admin UI. You do this by filling in the hostname on the device tab OR fixing reverse DNS so that it's correct.

    Untangle thinks your RDP server is running at that 112 address. I assume that's not your phone, otherwise you've got something really weird going on.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2