DNS Forwarder Host Overrides and Domain Overrides

gus17

I figured it was on this forum.
I am learning as I go. I was able to get a RDP access setup!

johnpoz

@gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

I was able to get a RDP access setup!

Through a vpn? I would never in a million years setup RDP from the public internet.. Do you have it locked down to a known source IP?

Even MS has came out and finally said its a bad idea.. And there are many security implications with doing it.. They even patched out of support systems because of the major exploit that came out last year.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

The best thing you could do for this company would make sure RDP is not open to the public internet, it that it is accessed in a secure manner - via a vpn, or locked down to specific source IPs of the people that need to access it.

And making sure any of their systems are currently patched..

gus17

I believe it was setup previously with static IP. It was setup in the NAT and rules for routing. I had to go in and put in a different IPv4 address for the workstation. It was routed through 3391.

johnpoz

Static IP on your end has nothing do with it.. Its the source IP!!! Who the user is - you would look it down to their IP..

Trying to hide the port isn't secure either... There really is no secure way to allow users to rdp into some machine on your network other than VPN.. Or locking down the connection to their know source IP..

gus17

I put int the public IP address 24.211.x.x. then : and port number. Port number routes to workstation 192.168.x.x then login password.

johnpoz

And that is not their IP... Anyone from the internet could hit that!

For example say I was one of your users.. And I needed to get to this RDP... You would lock the rule down to my IP 64.53.A.B - going to your IP 24.211.x.x only my IP could hit that, if they were coming from 64.53.A.C they wouldn't get forwarded.

You can create a alias that contains all the IPs of your users.. Which works when you know what the user IPs are.. Or they have dynamic IPs setup via ddns.. Where name say john.somedomain.tld gets update if my IP say changed to 64.53.A.Z

The simpler solution where you don't need to know the uses IP is setup a VPN... Where they have to have the credentials to auth to the VPN.. this is cert that you have issued them, and a username and password.. And ONLY once they have authed to the vpn can they even access the remote desktop box... And then they have to auth to that..

With how you have it setup - anyone from anywhere could hit your IP.. And try and access rdp - and once they see oh rdp... They can brute force trying to guess the username/password - or as with that issue I linked to there is some exploit they don't even have to auth..

Remote desktop open to the public internet is very risky!!! I would never suggest anyone do that! Ever!!! Changing your port and trying to hide doesn't really make it any more secure.. The old saying "security through obscurity is not security"

edit: I just looked - look at the hits to your "changed" port 3391

In the last 24 hours or so.. Those IPs are from all over.. That first one 185.151 is from russia.. that next one is from the netherlands... Trying to hide your port is not security.

I don't have that port forwarded, its just dropped by pfsense (it doing its job).. But my point is showing that there is plenty of bad stuff out there looking for stuff you have open trying to do bad stuff..

gus17

I understand. I will have to do some research on the VPN and what it will take.
I keep hearing how expensive setting up VPN's can be.
RDP was pretty easy, but I see the security concerns it can create.
I appreciate the honest assessment.

johnpoz

@gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

I keep hearing how expensive setting up VPN's can be.

Huh? Pfsense is your vpn server, does it out of the box.. All you need to do is set it up.. Clicky clicky ;)

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html

Here is video netgate put out pretty recent
https://www.youtube.com/watch?v=jQHqPq7ftz4

Depending what exactly your users are doing - you might not even need them to rdp to anything... If they are just accessing say some file shares or whatever.. A vpn lets the user be like they are on the local network - just a bit slower because you constrained be the speed of the sites internet connection, and or the remote users connection..

gus17

Going through OpenVPN setup wizard?

johnpoz

Yup all there is too it.. Should really take you all of like 2 minutes ;)

The hardest part is training the users ;) But it comes down to giving them a config file, or even just an exe to run that will install the client on their machine and have the details of how to connect.

One possible issue is if they are using the same local network as what your using for example if your local network is 192.168.1/24 - this is common.. It's best if your work location network is something odd say something like 192.168.42/24 or 172.29.14/24

gus17

Ok, let me take run at it.
I am referencing the book you have linked.
Here goes.

johnpoz

Easy way is test connection from your phone, there is an app for ios or android.. I connect in all the time from my phone..

gus17

Will do.
Thanks again.

gus17

Quick question, not sure what to put in for tunnel network?

johnpoz

I believe it defaults to 10.0.8/24 - this is fine.. Any network that is unlikely to overlap either your remote user or your sites network is fine.