Someone tried to brute force my server D:

[TheCrazyWalnut]

So, I wake up one morning and get ready for work. Get to work and log on to my router (Mikrotik RB2011UiAS) and server at home, hop on to the logs and found that someone in the Netherlands is trying to log on to my server!

I go into overdrive and start putting in a rule to block the IP and block RDP to the servers in question. They start to ping my router to see if it responds but it won't, so it seems that they gave up after that.

 

Looking through my logs it's interesting to see what accounts they tried to use (XEROX, USER, USER1, SCANS, RECEPTION, even KEVIN of all people!) and how many tries they did with each account.  I've now gone in and blocked the whole country now so I won't get any more requests from them now.

My question to the people; what type of firewall rules/security do you run? How strict are you? Going through what I have now it seems that I need to make some revisions on the rules to prevent this from happening again.

[desertcomputer]

Enable certificate verification + password and you should be safe. They won't able to crack it, you might want to try (https://rdpguard.com/) or changing port for your remote desktop if it SSH or VNC. You could setup a 

[LUUD18]

This is nothing new. I have a linux VPS and the amount of bots trying to brute force the SSH login is insane. Tthey are usually from Asia or Russia.

[TheCrazyWalnut]

5 hours ago, MrUnknownEMC said:

Enable certificate verification + password and you should be safe. They won't able to crack it, you might want to try (https://rdpguard.com/) or changing port for your remote desktop if it SSH or VNC. You could setup a 

I've got it locked down now so that only my works IP address range can access it, as thats where I mainly remote in from, but I'll take a look into that tomorrow the more secure logins the better! 

 

4 hours ago, LUUD18 said:

This is nothing new. I have a linux VPS and the amount of bots trying to brute force the SSH login is insane. Tthey are usually from Asia or Russia.

Haha yeah seeing the amount of trafic that gets blocked is amazing. Since i reset the counters 2 days ago i had roughly 10000 hits from China. Ive gone to the point where I disabled SSH/Telnet on the router, but always looking at ways to tighten the security on my home network.

[Falconevo]

RDP should ideally be locked down to only IP addresses authorised to access.

However with dynamic IP's etc this is not always suitable, if you are not using dynamic IP addressing then lock to a white list only.

[burnsmorgan14]

The usernames that you mentioned were used to try and access the servers where I work. We just changed the port for Remote Desktop Connection and only allowed access from our home networks (since we all use Static IP Addresses). Touch wood, I've not seen any more attempts in Event Viewer.

[jj9987]

RDP should not be public at all, better set up a VPN and connect via that. 

 

As for firewall rules, IP blocking helps very little as IP changing is very easy. Network rules are very simple - only open what you really need to open, rest keep closed and off limits. Give as little permissions as possible, as much as needed.

[davidna2002]

Setting up Source addresses is a great way to stop inbound attacks.  Also see if your firewall can block TCP & UDP port scans, Host Sweeps, and pings.  Not knowing you are there in the first place is a big help.  Some additional service you can get from free DNS providers that might have per-defined IP lists of attackers that are automatically updated and blocked both for inbound and outbound traffic. 

 

Blocking countries works great too but sometimes when I did that I created issues for some employees trying to email where the email servers we in countries that I blocked.

[TheCrazyWalnut]

4 hours ago, burnsmorgan14 said:

The usernames that you mentioned were used to try and access the servers where I work. We just changed the port for Remote Desktop Connection and only allowed access from our home networks (since we all use Static IP Addresses). Touch wood, I've not seen any more attempts in Event Viewer.

Thats exactly what I've done, even then they "somehow" got two of the ports that I use...

 

 

4 hours ago, jj9987 said:

RDP should not be public at all, better set up a VPN and connect via that. 

 

As for firewall rules, IP blocking helps very little as IP changing is very easy. Network rules are very simple - only open what you really need to open, rest keep closed and off limits. Give as little permissions as possible, as much as needed.

It's my project now to either get the Sonicwall that I have lying around fully setup with VPN, or a pfsense box for VPN and an extra firewall, only thing that annoys me is that the ISP I'm with won't let me change the modem/router without losing the Home phone  so I can't have the firewall have "full control"

 

 

[TheCrazyWalnut]

1 hour ago, davidna2002 said:

Setting up Source addresses is a great way to stop inbound attacks.  Also see if your firewall can block TCP & UDP port scans, Host Sweeps, and pings.  Not knowing you are there in the first place is a big help.  Some additional service you can get from free DNS providers that might have per-defined IP lists of attackers that are automatically updated and blocked both for inbound and outbound traffic. 

 

Blocking countries works great too but sometimes when I did that I created issues for some employees trying to email where the email servers we in countries that I blocked.

 

Yeah I've had these rules in, but had to do some editing and rearranging of the rules for them to fully take effect (as seen by the first rule, that was me testing)

I've blocks places like China, Russia, Africa and Netherlands, but only on inputs. I've haven't seen any issues yet, so hopefully that stays that way

[davidna2002]

20 minutes ago, TheCrazyWalnut said:

Thats exactly what I've done, even then they "somehow" got two of the ports that I use...

 

 

It's my project now to either get the Sonicwall that I have lying around fully setup with VPN, or a pfsense box for VPN and an extra firewall, only thing that annoys me is that the ISP I'm with won't let me change the modem/router without losing the Home phone  so I can't have the firewall have "full control"

 

 

you can still put a FW behind your ISP router.  the set up isn't ideal but it can be done.

[TheCrazyWalnut]

21 minutes ago, davidna2002 said:

you can still put a FW behind your ISP router.  the set up isn't ideal but it can be done.

I've got it that way at the moment and made the Mikrotik a DMZ so I don't have 2 sets of port forwards, but I'm still iffy about the setup