New router indicating steady stream of brute force attacks on my computer

[pendragn32]

Hello,

I recently upgraded to a Netgear Nighthawk AX4300 router.  I have a couple of ports forwarded to my home server for RDP and Emby (similar to Plex).  The router comes with a 30 day trial of Armor software.  Ever since I forwarded the ports about a week ago (shortly after installing the router), I am getting upwards of 100 notifications per day that "Netgear Armor has detected and blocked a brute force hacking attempt on [my computer] from [various IP addresses]".  In fact, the activity seems to be increasing over time.  An IP address will often repeat for a bit, then it changes to a different IP address, so either it's not just one hacker, or it's one hacker that is using a VPN and regularly changing IPs.  Is this actually legit?  Is there really one ore more hackers out there trying to brute force login to my computer, which is full of not at all exciting things?  Or is the Netgear Armor software just throwing out a bunch of false positives?  I had these ports forwarded on my last router for years and years, and I've never noticed anything odd, but these notifications are a bit concerning.  

Thanks!

[SignatureSigner]

(Not an expert (at all))

Is it possible that anything you have connecting through the forwarded ports is being flagged? 

Maybe try turning your RDP and Emby off and see if it continues...

[GuiltySpark_]

You've opened port 3389 on your router? One of the most commonly known and exploited ports for attacks? Please close that and see if the issue stops. 

[Levent]

Having RDP open to the internet is asking for dictionary attacks. You really should not run Port 445 and 3389 out in the open. I believe you can restrict or slow down traffic via ufw but it won't stop these scans, only secure way have remote access to run your traffic behind your own vpn.

[Eigenvektor]

11 minutes ago, pendragn32 said:

Is there really one ore more hackers out there trying to brute force login to my computer, which is full of not at all exciting things?

Yes. These are automated attacks. Most of these come from bots that search the internet for open ports known to be vulnerable and when they find one they will immediately try to exploit it. Whoever is running these bots likely doesn't get manually involved until the bot has managed to break in and steal your data.

 

Hackers simply don't know whether your computer is interesting or not, until they've tried. Also, never assume it isn't interesting. Personal documents may open the door to things like identity theft, blackmail or ransomware attacks.

 

If you want to connect to your computer from remote, set up a VPN on the router. Use that to connect to your internal network. Never ever expose stuff like RDP directly to the internet.

[StDragon]

RDP (port 3389) is one of the top few ports that's constantly scanned by and brute forced hacked into by bots. The others would be SSH (port 22), FTP (port 21), and SMB (port 445).

 

^^^DO NOT PORT FORWARD THOSE!!!!^^^

If you must gain access to inside your network from the outside, look into setting up OpenVPN via 443 as that uses SSL.

[pendragn32]

Thank you everyone for your suggestions!  Looks like I was likely getting brute force attacked a lot before and just never realized it.  I looked into OpenVPN, and I'll work on getting that installed on my server after disabling the RDP port forward.  

[pendragn32]

I realize it's been a bit, but figured I'd close out the topic.  I did disable the port forwarding for RDP, and the notifications of brute force attacks completely stopped immediately.  I've been port forwarding RDP for MANY years, and back when I first started doing it, I didn't see any cautions against it.  Just goes to show how security changes over time.  Thanks again for your help.