1

I am running a Windows 2008 Server and I have installed ts_block on it to help block RDP brute force attempts on the server.

Question 1: What I wanted to know is there any benefit for me using ts_block because my server only allows users to RDP with the proper IP Address? This is setup in the Windows Firewall.

Question 2: I don't think they can get in because they don't have the correct IP to even but when the come to my server the hit the hell out of it causing it to take up memory and cpu power and making the server slow.

Questions 3: Would a hardware firewall help prevent them from even getting to my server and is that the better anwser then using ts_block?

Thanks,

Frank

Frank G.
  • 143
  • 8
  • Egad... there was a question about software *I* *wrote* on ServerFault and I didn't answer it. Shows how much I'm slipping. >sigh – Evan Anderson Nov 07 '13 at 17:06

1 Answers1

4

Our own beloved Evan Anderson wrote that, and he explicitly mentions at the top of the script the multitude of ways that you can contact him directly for support of that script.

https://github.com/EvanAnderson/ts_block

That being said, if your Windows Firewall is already set up to only allow RDP connections from a whitelisted set of IP addresses already, then I don't really see the benefit of ts_block in that scenario. Unless you suspect your whitelisted IPs are trying to brute force their way in to your Terminal Server... and in that case, you shouldn't have whitelisted them.

Also, while the Windows Firewall is an good extra layer of defense, I don't think anyone should consider it a substitute for a traditional hardware firewall. A hardware firewall would prevent those packets from ever even hitting your Windows server.

Community
  • 1
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Microsoft considers it an acceptable substitute! :) – MDMarra Aug 31 '13 at 16:36
  • 1
    @MDMarra True, but I think the great majority of people (outside of Microsoft) are still a little too squeamish to have Windows Firewall as their *only* firewall. That said I still recommend using it as an additional layer of security. Furthermore, in a scenario where I'm concerned about the performance of my server being impacted because of a DoS type of scenario, I would like to be able to offload the processing of most of those packets to a dedicated device that wasn't my server. – Ryan Ries Aug 31 '13 at 16:44
  • @MDMarra I agree but that's Microsoft and of course they are going to find it acceptable. After all they made it. I agree that you can never have enough layers of security. My problem is I have a small server hosted with Rackspace and they are not cheap when it comes to add ons like a firewall. I am already paying $500.00 a month and to have this device added on will cost my like $200 to $500 more a month. When you don't have enough clients to offload those prices to what do you do? – Frank G. Aug 31 '13 at 16:57
  • @RyanRies: Don't encourage them to contact me directly... >smile< (I kid, I kid... though having gotten a lot of emails about ts_block I am regularly amazed at how few people actually read documentation.) – Evan Anderson Nov 07 '13 at 17:07