Results 1 to 9 of 9
  1. #1
    Untangler
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    75

    Default What is stopping threat prevention here?

    Hello,

    I'm seeing this behavior since threat prevention started working. Remote server is behing openvpn, so don't know why this is showing in reports. Is people trying to reach my local remote server from outside?

    Threat.png

  2. #2
    Untangler
    Join Date
    May 2008
    Posts
    429

    Default

    That is a windows remote desktop port 3389. Hopefully you don't have that open.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    It obviously is open... and if that poor RDP server doesn't have DUO on it or something else to make it MFA... if it's not breached already it will be soon.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    75

    Default

    It's not open, port 3389 is closed and only vpn users can access that server. Just tried in case something has been configured wrong, but can't access port 3389 from outside.
    Can it be from a compromised computer inside the company?
    Last edited by Riven; 03-13-2020 at 03:33 AM.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    I'm assuming that server IP you blanked out is actually an internal IP address. And, if it is... 3389 is definitely open. Those sessions can't be logged if they don't exist.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    Quote Originally Posted by Riven View Post
    Just tried in case something has been configured wrong, but can't access port 3389 from outside.
    How are you testing?
    f1assistance likes this.

  7. #7
    Untangler
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    75

    Default

    Just seen the problem. Long time ago, the port was open to internet and someone "closed it" by allowing only one ip to pass through it (firewall), the one of their other office. When VPN was put in between main office and their other office, no one cleared this open port, so only firewall was closing the port outside. Now that threat protection is working, I assume it's stopping people connecting before firewall does. So, I cleared the open port and now threat protection isn't giving any more coonection messages.
    Thanks all, my bad I didn't checked everything on untangle as their IT person was managing untangle on their own.
    Jim.Alles likes this.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,241

    Default

    Actually yes that makes sense. The rack apps all see the session at the same time, all of them have to agree for traffic to flow however. So yes, if you had a 3389 forward, and then used a firewall app rule to control it, you'd see events in both modules.
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    Thanks for getting back to us with the solution!
    Marty_B likes this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2