How to block brute-force RDP login attemps - SNORT?

  • Hi,

    I am a new user to pfsense - great FW :)

    I have a MS terminal server where some WAN IP's are trying to brute-force hoping to find a password on the server.
    For a start I was blocking the IP's, but now the IP's are changing…

    What can I do to automatically block IP's?
    Can I use snort? - cannot find an example protecting RDP.
    Are there other plugins?

    Best regards

  • I'm not a new user to PfSense but I'm not by any means an "Advanced User".

    Are you using 3389? I solved my issues by using port forwarding and having the external ports random vs. having WAN x.x.x.x:3389 >>NAT>> LAN x.x.x.x:3389.

    I'm working on OpenVPN as my ultimate (and proper) solution but for now I just don't use 3389 on the WAN so it looks like:

    WAN x.x.x.x:12345 >>NAT>> LAN x.x.x.x:3389

    This way I can use port 339x to correspond to the last digit of the LAN IP so I can also keep track of which server I'm RDP'ing into. Clients and external partners refer to their machines as the "12345 box" or the "54321 box" and it's a bit easier to keep track of.

    It's not always possible but the other thing you could do is block all and only allow certain IPs.

  • @martinwa:

    What can I do to automatically block IP's?

    You can enable connections limit advanced options on wan firewall rule.

    Other options are:

    • change rdp port on wan (just like pf2.0nyc said)

    • use vpn to connect to firewall and then rdp to server

  • In addition to what marcelloc suggested:

    • If your legitimate users don't need to access TS RDP from "anywhere", you could add a geographic limitation to the RDP traffic allowed to your server (e.g. make an alias with all IP ranges of your country in cidr format).

    • Write a snort rule

    • If it were a Un*x server I'd use a log-monitoring daemon that would block an IP after x number of unsuccessful attempts.

  • On my terminal servers I use SMSpasscode.
    This software sends a sms passcode if a correct username and password are given.
    BUT, the servers needs to handle ALL the logon attempts.

    The idea regarding SMSpasscode, is the users can login from everywhere. So I cannot configure the FW to only accept a handful of IP’s.

    But if a WAN IP connects to my TS a lot of times every hour, maybe a IDS/IPS could block this?
    Are there any examples of a SNOT rule doing this?

  • Distinguishing a legit RDP user vs. a brute force attacker is impossible to do accurately at the network level. Nothing at the network level has that kind of visibility into RDP. Limiting the number of simultaneous connections per IP is the best you can do. That type of scenario has to be detected by the server, or something monitoring the server. To react to it, something on the server or monitoring the server could be scripted to block the IP on the firewall.

Log in to reply