RDP Brute Force attacks

[TurricanII]

I'll simplify to save the protracted discussion over what was meant by 'basic':

"The router/modem may have port knocking. See if you can use that. If you are buying a new modem, it might be useful to get one with port knocking."

 

[Jmage]

Thanks for all the reply! Sorry for being late I was busy this weekend.

Lot's of good informations here.

So it seems the VPN way is what you guys use the most. You setup VPN at the gateway or in the server? And do you use a software to connect or plain old "create new connection" in windows?

My clients doesn't have UTM in their network. I became an Untangle partner in December because one of them wanted to filter their web traffic. So from what you said, YeOldeStonecat, Untangle should be a good choice for UTM? Do you use their Appliance or build yours?

I can't block RDP to allow access from only a specified IP since they connect from their home or laptop on the road. With dynamic IP it's impossible to do so.

The clients I'm talking about here are mostly SMB and I allow RDP directly to their work PC. No TS server.

Looks like it's gonna be a long week for me. I'm already all booked and will have to call all my clients to explain the "new" threat and to disable their RDP until I setup a TSGateway and/or a VPN and/or a UTM. And that is if they want to buy them, but that would be there choice and I'll make them sign something about the risk of exposing RDP to the Internet.

If you got more advice about specific model for Gateway or UTM please let me know!

Thank you very much

 

[YeOldeStonecat]

So it seems the VPN way is what you guys use the most. You setup VPN at the gateway or in the server? And do you use a software to connect or plain old "create new connection" in windows?

My clients doesn't have UTM in their network. I became an Untangle partner in December because one of them wanted to filter their web traffic. So from what you said, YeOldeStonecat, Untangle should be a good choice for UTM? Do you use their Appliance or build yours?

On the few clients I still have use a VPN, I always have hardware handle the VPN. Such as Untangle for smaller clients, or for larger clients where you have many concurrent VPN users...a dedicated VPN appliance that sits behind the router, like a Juniper SA series SSL VPN box (now Pulse).
I cringe at the thought of a Windows DC having VPN ports exposed for VPN....I'd want to format that every week! But when I used to have a Windows box doing the VPN (waaay back in the NT 4 server days) I'd have a dedicated NIC just for the VPN traffic...separate from the regular LAN NIC.

I use hardware from NexGenAppliances for our Untangle installs. Yeah the free (Lite) version of Untangle is still way better than a plain NAT router.

 

[fencepost]

@YeOldeStonecat I don't see anything quick on Untangle's documentation - can the Firewall rules add an IP address to an address list? If so, that's how port knocking might be implemented there even if it's not directly supported.

On a Mikrotik, basically you have rules that fire when a matching packet arrives/connection is attempted. Say the first connection is to 12345, so you add the originating IP to "Knock_Once" with a 15 second timeout. Next comes a packet for 54321 from the same IP and you have a rule that says "Connections to 54321 from IPs in the 'Knock_Once' list get added to the 'One_Day_Whitelist' list". Finally you have something that allows 3389 (or other ports) for IPs on the 'One_Day_Whitelist' list.

It's basically the exact same thing you'd do to ban repeat connection attempts from a single source, except in this case the final rule is allowing connections instead of blocking them.

One drawback: If you want a simple script you can install for users, there seems to be a shortage of them out there. This may be your best starting point, though it appears that for general use port knocking just kind of sank beneath the waves so the only folks using it are ones who can also come up with their own scripts.