Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RDP issues

    Scheduled Pinned Locked Moved General pfSense Questions
    32 Posts 11 Posters 7.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOYB
      last edited by

      It has been my understanding that UDP is only required for using some of the MS RDP features.  But the basic remote desktop connection should work fine with only TCP.  It's been awhile since I've messed with that so I could just be making stuff up in my sleep.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        newer versions of rdp can use UDP..  if your going to forward it then forward both.

        Sure looks like you have a link firewall rule there, it should be created by default.  My guess is the software firewall running on the host is blocking RDP from connection other than its local network - which would be the default windows firewall setting.

        And will state again opening up rdp to the public internet is a VERY bad idea..

        Here look at these hits to 3389 on mine just today and today not even over yet.. So if that was open they are going to try brute forcing login, etc.  Use VPN to access stuff on your network!!

        rdpfirewalllog.png
        rdpfirewalllog.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          muswellhillbilly
          last edited by

          Agreed - opening up RDP from the outside to an internal host is asking for trouble. If you really, really must do it at least set either one or a subset of allowed source addresses. At least that way you prevent anyone from anywhere on the internet have a crack at your server.

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            @cliftonite:

            I added the rule to open port 3389 for RDP traffic but I can't get to my workstation externally.

            Create a NAT rule as image shows.
            Note : I use port 4321 to enter, not the standard port (this is for my head : I tend to forget 'Microsoft' port numbers ;))
            Note : A firewall rule will be created automatically.
            Note : The "PowerEdge" label is nothiong else as "192.168.1.4" the IP of my "2008 R2".

            This should be a clic-and-it-works issue.  If still problems, its probably the server that does not accepts connection to rdp, or from LAN, or it doesn't trusts it own LAN, or ….
            Try also to connect to this server from a PC on the LAN (same IP range).

            rdp-pfsense.PNG
            rdp-pfsense.PNG_thumb

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • F
              firewalluser
              last edited by

              Worth also pointing out, the workstation/server thats receiving the rdp connection can have its default port number (3389) changed in the registry which can be an issue when taking over from other support companies, but this allows a route from the wan through to the lan for each workstation/server expecting rdp connections and you can have as many port forwards as your like then.

              All the user has to do in the windows rdp client is put www.mydomain.co.uk:7777 or www.mydomain.co.uk:8888 where 7777 routes to say the server withe pfsense having port 7777 open and the corresponding allow rules, and 8888 routes to the bosses desktop with port 8888 open on pfsense with the corresponding allow rules, as another example of how to skin the cat, although vpn is still preferred route.

              As I've had upto 6 monitors before on my desktop, you can rdp into at least 6 different machines quickly and easily connecting and controlling them, with all of the other perks rdp brings when set up properly.

              A quick google will show you the reg setting to change on the machine thats receiving the rdp client connection.

              Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

              Asch Conformity, mainly the blind leading the blind.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Why not just forward port 7777 to HostA:3389 and port 8888 to HostB:3389?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • F
                  firewalluser
                  last edited by

                  Just to show theres more than one way to skin the cat as one of a few other reasons I can think of.

                  Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                  Asch Conformity, mainly the blind leading the blind.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    there is good and bad ways to skin the cat sure.. Why not just use the different ports on the outside to forward to the standard 3389 would be better way to skin that cat.

                    But to be honest that doesn't solve the base problem - security through obscurity is not security.  Does not matter what port rdp is listening on.. Opening that to the public net is not really a secure option if you ask me.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • F
                      firewalluser
                      last edited by

                      @johnpoz:

                      there is good and bad ways to skin the cat sure.. Why not just use the different ports on the outside to forward to the standard 3389 would be better way to skin that cat.

                      But to be honest that doesn't solve the base problem - security through obscurity is not security.  Does not matter what port rdp is listening on.. Opening that to the public net is not really a secure option if you ask me.

                      I agree

                      On the point of having the RDP on different ports within a lan setting, how do you prove it wasnt the admin logging in and rdp'ing onto a machine when the audits show it was the admin username and password used and no cctv exists in the office?

                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                      Asch Conformity, mainly the blind leading the blind.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        what would a service listening on a different port prove in that scenario?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • F
                          firewalluser
                          last edited by

                          @johnpoz:

                          what would a service listening on a different port prove in that scenario?

                          Hidden knowledge like a password can also apply to default ports.

                          As alot of hacking is done from within a company, if you have staff, permies or temps, with some knowledge of systems who like to poke around the network, then changing the default ports for RDP is one way to trip them up, especially if the RDP activity is never done in the main offices.

                          As admins get called into the main office to do all sorts of things on someone's computers like installing software which cant be pushed to the workstation, or other problems which involves an administrator password to make a change, its easier for passwords to be observed even when requested to look the other way plus theres other measures like the Infrared camera addon or using a special app on someone's phone to detect the sound and vibrations of keys pressed.
                          http://www.intego.com/mac-security-blog/iphone-case-atm-pins/
                          http://www.wired.com/2011/10/iphone-keylogger-spying/

                          The 2nd link is a more common hack than you think considering the administrator username is on display which is enough to train some apps to work out the password, made easier if a problem keeps coming up which requires the admin to keep logging into a workstation and thus helps the app improve the probability of guessing the password. An even simpler method is just to have the phone on a stand to one side of the keyboard, appearing to be in sleep mode when its actually recording the keyboard.

                          Whilst you can audit software installed & other changes, and have trackers to record computer activity, if it shows the admin is logged in, then the admin must of done it, especially if they were on a coffee break or out to lunch or having a smoke. So if RDP activity is always done in the server room/IT dept, thats a bit of hidden knowledge which can be used to trip some internal hackers up, as they would potentially try a default port like 3389 instead of another one, likewise bots that port scan would need to investigate each open port on a network to figure out whats really behind it assuming it doesnt get picked up by network monitoring.

                          Just like no AV can find 100% of viruses as you can see here https://www.shadowserver.org/wiki/pmwiki.php/AV/VirusDailyStats, where theres a will theres a way. All AV software has a fundamental design flaw which is frequently exploited.

                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                          Asch Conformity, mainly the blind leading the blind.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Why would users machines even be able to access something they don't have access to via RDP??

                            Can't "hack" into something with the username/password if they don't have access to even get there..  If rdp is used for admin, then only admin machines should have access.  If admin walked away from his desk and did not lock his machine, or guess they know what the admins password is they could just unlock it.

                            Pretty sure his rdp session WITH odd ball port is saved on his past connections, etc..

                            So let me guess you think hiding your SSIDs is good security practice too?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • F
                              firewalluser
                              last edited by

                              I think we need to agree to disagree then.

                              Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                              Asch Conformity, mainly the blind leading the blind.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                Clearly I have no problems in disagreeing with your statements ;)

                                Changing your standard ports for services to non standard is simple attempt at obscurity, and as we all know security through obscurity is not security..  This is security 101

                                How does NIST state it – oh yeah "System security should not depend on the secrecy of the implementation or its components."

                                If your doing it to say keep your logs a bit cleaner from the bots hitting your port on the outside ok..  But it is not a valid security measure.  And would seem completely pointless on the inside..  And could even lead to problems..  Hey can you get into that server in that remote DC, billy quit and we have the username and passwords but RDP is not coming up ;)

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  It could be argued that the single, correct AES256 key in use is simply obscure in a sea of 2^256 possibilities but I digress…

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    hehe –- that is a valid point Derelict, valid point ;)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      firewalluser
                                      last edited by

                                      @johnpoz:

                                      Clearly I have no problems in disagreeing with your statements ;)

                                      Changing your standard ports for services to non standard is simple attempt at obscurity, and as we all know security through obscurity is not security..  This is security 101

                                      How does NIST state it – oh yeah "System security should not depend on the secrecy of the implementation or its components."

                                      What gives you the impression it was an attempt at security through obscurity?

                                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                      Asch Conformity, mainly the blind leading the blind.

                                      1 Reply Last reply Reply Quote 0
                                      • KOMK
                                        KOM
                                        last edited by

                                        You are literally obscuring the standard port number for common services by moving it to a different location.  It will trick a lot of dumb scans that happen constantly on the Internet but it won't stop a scanner dedicated to finding remote access servers (RDP, SSH, VNC etc) no matter which port they're listening on.  It doesn't take a lot of time to parallel-scan huge swathes of port space per IP address when you have many computers at your command.

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          NOYB
                                          last edited by

                                          @johnpoz:

                                          So let me guess you think hiding your SSIDs is good security practice too?

                                          … think hiding your SSIDs is good security practice?  Yes.

                                          1 Reply Last reply Reply Quote 0
                                          • F
                                            firewalluser
                                            last edited by

                                            @KOM:

                                            You are literally obscuring the standard port number for common services by moving it to a different location.  It will trick a lot of dumb scans that happen constantly on the Internet but it won't stop a scanner dedicated to finding remote access servers (RDP, SSH, VNC etc) no matter which port they're listening on.  It doesn't take a lot of time to parallel-scan huge swathes of port space per IP address when you have many computers at your command.

                                            I think we are talking cross purposes here.

                                            In my original post I do state
                                            https://forum.pfsense.org/index.php?topic=97868.msg545715#msg545715
                                            "although vpn is still preferred route.
                                            "

                                            In fact I've said the same thing in a rehashed way right here.
                                            https://forum.pfsense.org/index.php?topic=94177.msg526779#msg526779
                                            "If you want to hide the fact you have (multiple) port forwards setup for RDP on the internet, setup OpenVPN on another ip address range to get you inside the lan, then change your pfsense portwards from wan to openvpn. The less you expose wan side the better imo.
                                            "

                                            In this post from this thread https://forum.pfsense.org/index.php?topic=97868.msg546006#msg546006
                                            "On the point of having the RDP on different ports within a lan setting, how do you prove it wasnt the admin logging in and rdp'ing onto a machine when the audits show it was the admin username and password used and no cctv exists in the office?"

                                            its a different scenario now, just focusing on lan, dont care about wan which is what I think some of you havent let go of, but the premise is that having non default RDP ports lanside can be used to trip someone up who makes assumptions about the lan whilst only being in possession of the admin username & pwd from their workstation.

                                            We know its a windows workstation and others exist as thats why we are using RDP, instead of say VNC, Teamview, Goto, etc etc. Trip doesnt stop people getting to their destination, but it can be useful for showing up anomalies where hidden knowledge is not known to the right people.

                                            So can you answer the question?

                                            If you need to clarify anything more about the lan setup, whats running and whats not, just ask.  ;)

                                            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                            Asch Conformity, mainly the blind leading the blind.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.