0

Today, my Database server unexpectedly restarted. After checking it, I found that since the start of December, I was getting this event, Network Threat Protection Event. Here's the event

Object detected.

 Object name: 64.76.157.3:51747 (different IP every time).
 Object type: N/A.
 Severity level: high.
 Certainty level: complete signature match.
 Detected object type: network attack.
 Detected: Bruteforce.Generic.Rdp.d.
 Task name: Network Threat Protection.
 User name: N/A.
 Computer name: DB01.
 Process: 192.168.0.11:3389.
 PID: 6.

This server is part of 5 servers that have the same public IP each with a different port, all servers got the event. So, my question is: Does the Attacker have to know the public IP in order to make the attack? How can I know the source of the attack? Also, do I need to put a Firewall Device since I don't have one.
Event Image

adel sameer
  • 3
  • 2

1 Answers1

0

That kind of messages are expected, if you expose RDP to the Internet. It’s time to disconnect RDP from the internet as there are Cybercriminals Actively Exploiting RDP to Target Remote Organizations, Attackers on the Hunt for Exposed RDP Servers, the wolves already at your door and also Attacks against internet-exposed RDP servers surging during COVID-19 pandemic. I think you are starting to get a picture on the security risks of RDP. Do not expose RDP!

Typically database servers aren't directly connected to the Internet, either, unless there's explicit need for direct access; there might be separate application servers that are the clients of the database servers, and the database access can be restricted to those. If the database is on the same server, it could be accessed through local loopback, etc. This kind of access control will harden your infrastructure and improve its overall security.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122