23

Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

One of the servers are being hit by a dictionary attack. I have all the standard security in place (renamed Administrator, etc.) but want to know is there a way to limit or ban the attack.

Edit: The server is remote only. I need RDP to access it.

Eduardo Molteni
  • 753
  • 1
  • 8
  • 17

8 Answers8

29

Block RDP at the firewall. I don't know why so many people allow this. If you need to RDP to your server, setup a VPN.

Jason Berg
  • 18,954
  • 6
  • 38
  • 55
  • Or use a gateway – pauska Sep 23 '11 at 14:55
  • I need RDP, the question is how to limit brute force login attacks – Eduardo Molteni Sep 23 '11 at 14:59
  • 3
    @EduardoMolteni: As Jason states, block RDP at the firewall and use a VPN. – GregD Sep 23 '11 at 15:10
  • 5
    @Eduardo - The correct thing to do is VPN in. That would still give you the access you need. If you insist on allowing RDP access to your server, you do so at your own risk. There is no popular tool or method out there for limiting these attacks. Good sysadmins just block the traffic. If you'd like to give it a shot, maybe you can modify Evan's program here http://serverfault.com/questions/43360/cygwin-sshd-autoblock-failed-logins/43900#43900 to look for RDP connections. I'm not sure if that's even an option but it's probably your closest chance. – Jason Berg Sep 23 '11 at 15:14
  • @Jason: Good answer. Don't know why people get mad, isn't this site made for learning? – Eduardo Molteni Sep 23 '11 at 15:51
  • @eduardo - I don't see anybody in this thread who appears to have gotten mad. Your radar may be off. – Jason Berg Sep 23 '11 at 15:56
  • 1
    @Jason: "..It's already been said twice.." "..Why do you keep glossing over.." Not nice people, but english is not my primary lang so you might by right – Eduardo Molteni Sep 23 '11 at 16:05
  • @Eduardo - That's not anger. It may be frustration. Brush it off. It's not meant to be offensive. – Jason Berg Sep 23 '11 at 16:13
  • 2
    @EduardoMolteni: You've gotten the wrong impression if you think we're "not nice people" or "mad" and if English isn't your first language, perhaps those aren't the first judgments you should come to? I just simply wondered why several people had mentioned setting up a VPN and you kept saying, "I need RDP to access it". You can still RDP through a VPN connection... – GregD Sep 23 '11 at 16:14
  • 1
    @Jason, yes, right, don't get why people get frustrated when asked simple things. – Eduardo Molteni Sep 23 '11 at 16:20
  • 7
    Not sure why you are so extremely against permitting RDP. The encryption isn't that bad, the same as https. By setting up a VPN all you are basically doing is changing the object an attacker would need to brute force. If the VPN uses simple password authentication integrated into the same authentication system as the RDP host, then you really haven't changed much at all. – Zoredache Sep 23 '11 at 16:21
  • 2
    @Eduardo Molteni, sysadmins tend to get upset, when we see someone ask a question that suggests they are trying to metaphorically shoot themselves in the head. – Zoredache Sep 23 '11 at 16:23
  • @Zoredache - RDP can be setup to be as safe as https. It rarely is. I'd also say there's a lot of advantage in removing a common attack vector used by those who prefer a shotgun approach. If you're being targeted, it's probably about the same. But it's worth removing the threat of script kiddies or bots trying every RDP server they can find. – Jason Berg Sep 23 '11 at 16:28
  • 2
    @Zoredache - If a port scan reveals a response on 443, that's 99% a web server, but which one? If a port scan reveals a response on 3389, that's 99% a MS RDP session port, and I can happily hammer away at it knowing I am likely hitting an internal AD directory service for auth since MS has no built-in mechanism to stop brute-forcing that service. Hitting an internal AD is a much better target than limiting your attack to a web server which may well be isolated in a DMZ with no real internal access or knowledge of AD. – August Sep 23 '11 at 19:17
  • 2
    @August, AD has the same account lockout tools for RDP that is used by the OWA that people make frequently make publicly available. The entire point of the question was asking for a tool to limit brute force attacks. IMO a VPN only does that as a consequence of there being so many different varieties of VPNs. – Zoredache Sep 23 '11 at 19:24
  • @Zoredache - ...and how annoying is it having various user accounts locked out in your AD because RDP is allowed from the internet? No one is suggesting to use simple pw auth in a VPN connection either...you mentioned that. You are arguing that RDP is as safe as HTTPS, which, from an exclusive encryption standpoint it is, but in the context of this particular question, I would argue that it is not for reasons already mentioned and the problems the OP is having. – August Sep 23 '11 at 20:18
  • 7
    I'm amazed that people would wrap one remote access service in another when there is so little benefit. VPN can be brute forced like anything else. Locking out accounts based on RDP attempts is just silly. Rather set up so 150 incorrect passwords from any given IP within 24 hours blocks that IP. If this is such a huge problem, don't use passwords. – Alex Holst Sep 23 '11 at 20:40
  • 1
    VPN are great but setting up a VPN on small network just for tunnelling one RDP server may be more work than just securing that one service. – Alex Jasmin Sep 23 '11 at 22:58
  • 2
    I agree with @AlexHolst - VPN just unnecessarily adding a wrapper to something that can be secure if done right. Change the port, enable account lockout (even a temporary 5 minute block after 5 attempts would prevent brute force) and only allow NLA connections (if its Windows Server 2008+) – Ashley Sep 27 '11 at 20:13
11

Change the port and virtually all attacks will stop.

Attacks are usually not directed to you specifically but to all IPs. So they won't try non-default ports because it's simply not worth it; trying the next IP has chances orders of magnitude greater than trying the next port.

Andreas Bonini
  • 1,292
  • 1
  • 9
  • 16
7

Theoretically you would accomplish this using a tool called an intrusion prevention system (IPS). Ideally this device would be an appliance outside of your Windows box. Building a rule in a Linux iptables firewall to block brute force traffic is pretty easy.

In a separate question Evan mentions he developed a script which would manage the Windows firewall based on failures in OpenSSH. You may be able to adapt his code to apply here, if you must do this on the Windows box itself.

Community
  • 1
Zoredache
  • 128,755
  • 40
  • 271
  • 413
4

The only thing I can think of why your server is getting hit with a massive amount of RDP attempts is that you can RDP to it from the internet. Disable this access from the internet and you should be fine. Use a VPN like everyone else if you need to RDP to the server from the outside. If these are internal attempts, then you have a bigger problem that likely involves somebody getting terminated for trying to dictionary attack an internal server...

August
  • 3,114
  • 15
  • 17
  • or there's malware on the network. – gravyface Sep 23 '11 at 14:58
  • I need to be able to RDP from the internet. Just want to limit so you can't try to login several times per second – Eduardo Molteni Sep 23 '11 at 15:00
  • 1
    @Eduardo - It's already been said twice. Put something in between the Internet and this server. Be it VPN, an SSH tunnel, TS Gateway, etc. Hell, if you are concerned this is an automated attack resulting from port scan, move the RDP port to something less obvious. – Aaron Copley Sep 23 '11 at 15:09
  • 2
    @EduardoMolteni: With VPN you can still RDP from the internet. Why do you keep glossing over the VPN part? – GregD Sep 23 '11 at 15:11
  • @Aaron: Don't get mad. Just learning the options here. – Eduardo Molteni Sep 23 '11 at 15:12
  • @Eduardo - Not mad at all. I didn't mean to give that impression. It just doesn't seem that Windows has any built in mechanism for what you want. It's a frustrating position to be in but the best thing you can do is make the fundamental change to how you access remote services. – Aaron Copley Sep 23 '11 at 15:18
4

If you know the IP addresses of the PCs that need to RDP to this server over the internet, configure your router/firewall to only allow RDP traffic from those IPs or IP ranges. If the incoming PCs are on DHCP from their ISP, putting the ISP's IP range(s) in to your firewall would at least block most of the random login attempts.

KJ-SRS
  • 984
  • 1
  • 8
  • 11
2

You could change the port to a non-defaultRDP port. This will still allow you to connect but make it slightly harder for someone to find RDP on your machine.

http://support.microsoft.com/kb/306759

Darryl Braaten
  • 161
  • 1
  • 8
  • I have RDP setup on my home network... but I have it changed at the router to a non-standard port. was going to suggest at-least changing the ports, as I think that would thwart all but the absolutely most dedicated hacks. – WernerCD Sep 23 '11 at 18:40
2

Ban the IP's using WinBan and the rdp mdule.

Eun
  • 141
  • 3
1

We use untangle to protect our network, and connect few remote locations. Simple setup on PC, quick install and configuration, fullness of firewall options, it comes with OpenVPN server.

Untangle Router

enter image description here

integratorIT
  • 139
  • 1
  • 1
  • 11