4

I restricted the Firewall incoming rules for RDP under Scope to 1 Remote IP address (Local IP Address section is empty). This was done for both Public & Private/Domain Rules.

This action restricted RDP access to only my IP. I confirmed this myself by trying to access from another IP unsuccessfully, can can only access the machine from that 1 static IP.

However I still get 100s of brute force RDP attempts each day. In Event Log / Security section I consistently see other (failed) RDP attempts from other IP addresses (which appear to be external).

Logs list "Unknown user name or bad password" so that tells me that they are getting passed the firewall.

I also changed the RDP port to a custom port #, but that has not helped, I'm assuming I'm being scanned for open ports.

How can this be happening when even I cant log in from a different IP?

Could it be that attackers are somehow circumventing Windows Firewall rule?

Is there anything else that I need to disable from windows services?

Also what else can be done to prevent this?

Appreciate any help here as I'm really not sure how else to stop this, thanks!

AlexVPerl
  • 243
  • 2
  • 9
  • Take a network capture and post it with your question. – user2320464 Sep 21 '16 at 02:06
  • Thanks for the comment, but what's a network capture? – AlexVPerl Sep 21 '16 at 02:20
  • [Google has your answer](https://encrypted.google.com/search?q=network+capture). Typical programs are tcpdump, wireshark, netmon. Use a capture filter for TCP3389. It will show if other IPs are establishing connections or not. – user2320464 Sep 21 '16 at 02:29
  • @user2320464 thanks, so you're asking me to run it continuously until it catches a login attempt ? – AlexVPerl Oct 09 '16 at 02:14
  • Yes. A capture filter will prevent the log from getting too big since only TCP3389 will be captured. – user2320464 Oct 11 '16 at 00:27
  • @user2320464 I tried installing and playing around with WireShark but unfortunately I do not have enough knowledge of the software to get meaningful, it logs way too much data. – AlexVPerl Jan 02 '17 at 21:43
  • A local service is sending data to RDP – Xaqron Feb 13 '17 at 09:36
  • @Xaqron Thanks, but not sure what you meant, could you please elaborate. – AlexVPerl Feb 13 '17 at 09:38
  • You can find remote IPs in Event Viewer under Applications and Services `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational` – Xaqron Feb 13 '17 at 10:00
  • @Xaqron Good point to know. But in this case logged IPs are from China. – AlexVPerl Feb 13 '17 at 10:02
  • Then you should block them some way or at least use a strong password. – Xaqron Feb 13 '17 at 10:03
  • @Xaqron Well if RDP is restricted to a single IP via firewall already. – AlexVPerl Feb 13 '17 at 10:04
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/53547/discussion-between-xaqron-and-alexvperl). – Xaqron Feb 13 '17 at 10:05
  • In general, it might be worthwhile to look at a product called RDPGuard. It will block IPs after repeated failed attempts. I'm not affiliated with the software. I'm a customer. – Chris76786777 May 03 '17 at 15:44
  • 1
    Did you ever figure this out? My gut feeling would be that your firewall wasn't configured the way you thought it was, since I agree with your assessment that it wasn't behaving properly. – TTT Jun 08 '18 at 19:03

2 Answers2

2

This can happen often with Domain Controllers.

Do you have a Domain Controller? If so, on the DC, enable the netlogon.log debugging file (via elevated cmd prompt):

nltest /DBFlag:2080FFFF

Now, go to %WINDIR%\debug\netlogon.log and open it up. You'll be able to see the user(s) attempting to log in, and which machines they're attempting to log in to. It may turn out that you have other systems on the network which are trying to RDP into those systems using Active Directory credentials.

You should be able to track down the offending server with the above data. My guess is something connected to the DC is exposed to 0.0.0.0/0:3389, like an AWS server that remotes into your network using a VPN. May want to check your AWS security groups.

It could really be anything, though. You'll want to find this server before it becomes a pivot point.

Having said that, none of the Wireshark tips in this thread will detect this behavior unless you're on the system being RDP'd into - which is likely not the DC. You'll need to go straight to the DC logs and find out for yourself where it is.

To disable netlogon.log debugging later (via elevated command prompt):

nltest /DBFlag:0x0
Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
0

Your firewall is just working. Nothing to complain about.

It's allowing only that IP, the others are getting blocked and logged so that you know someone else is trying to reach your RDP.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • 1
    In EventViewer/Security for failed login attempts I see the following reason "Unknown user name or bad password." That implies to me that a port connection has been made and its the NTLM that is rejecting the login. Shouldn't the Firewall stop the connection before it reaches NTLM? – AlexVPerl Jul 22 '16 at 20:55
  • @AlexVPerl oh well, that's an important bit of information you missed in the question ;) Then I can't help you because that just doesn't make sense to me ;) – The Illusive Man Jul 22 '16 at 21:47
  • @AlexVPerl i have similar situation. the way i undestand it is this. You limit access to rdp for one ip only. when someone tried to brute, any info they send to your server gets logged. they could have the correct user and pss, but they will still get blocked because their ip isnt allowed. just like ssh and public key. if u want to filter ip from actually sending traffic to your server, use something like ipset, or an equivalent for windows. but for your situation you shouldnt worry, it is just the logs way of letting uou know what action has been tried against your server. – JShade01 Jan 02 '17 at 19:51
  • Thanks @JShade01. I was hoping it would be the case. But it appears that when Windows Firewall blocks traffic the request does not even make it to the Login Layer / Active Directory. I use VPN for dedicated IP, so this scenario was easy for me to test. When IP is blocked there is no record of the attempt in EventViewer. Windows Firewall will have log entry somewhere, but not EventViewer. In my case EV lists the reason as "incorrect login / password" which implies that the request is passed Firewall at that point. At this point I'm convinced that my VPN IP isn't as dedicated as advertised... – AlexVPerl Jan 02 '17 at 21:38
  • @AlexVPerl If you will, take a look at this link http://superuser.com/questions/979312/private-public-key-authentication-for-windows-remote-desktop. It talks about using rdp through ssh. This way you can forget about clear text and use a public key to log in, meaning only uour device will be able to log in, and brute forces to your rsp and ssh ports are rendered meaningless traffic. – JShade01 Jan 02 '17 at 21:44
  • Very interesting solution, going to take a look at it. Much thanks! – AlexVPerl Jan 02 '17 at 21:46
  • This is not a remote RDP directly. It is using a local process as proxy so no rule against RDP in firewall helps I'm coding (C#) a Watcher on Event log to block these IPs automatically via windows firewall. It takes 1-2 days. I will share it on github when finished. – Xaqron Feb 13 '17 at 10:09