Portal Home > Knowledgebase > Articles Database > How to handle brute-force remote desktop login guess attack
How to handle brute-force remote desktop login guess attack
| Posted by hcmc, 05-01-2010, 04:03 PM |
| Today some hacker launched some sort of automated attack on my server that seemed to be trying to guess a (Windows server) remote desktop login. The attempts ran for 24 hours straight, with two or three connections per second.
My passwords are fairly obscure so the attack is unlikely to succeed, but it generates 30 GB of network traffic per day and prices me a lot of money. (I have a low-bandwith plan, which suits my needs aside from problems like this.) It's a simple matter to block the IP address in my humble firewall (once I realize it's happening) and even block a large network range, in case this certain DSL-based hacker gets assigned another IP address later. But if such an attack script is floating around, it could come from anywhere.
Does anyone have any advice on how to block stuff like this quickly and automatically, or reduce the bandwidth it consumes?
|
| Posted by HelpOps, 05-01-2010, 05:51 PM |
| Some things you can try:
Connect to remote desktop using secured remote desktop protocol with SSL.Change the remote desktop port. Make sure you are not using any default accounts to login to your server. Put your server behind a hardware firewall and only allow public traffic to ports that need to be public ( port 80, 443, etc. for getting to your website).Connect to your server through VPN so you can access non public portsOnly allow access to non public ports with IP Address restriction.
|
| Posted by madlymasterful2018, 05-02-2010, 07:00 AM |
| The best way to stop such brute force is by using some brain..
Choose your control panel URL as different as much you can. Do not use it as d.com/cpanel or d.com/controlpanel etc.
As these are quite easy to guess. So either use a domain which is only used for this purpose and do not promote it or install any website or blog.
Another thing, you should use passwords which contains as much different characters as possible and special characters..
There is no best way than this.
|
| Posted by madaboutlinux, 05-02-2010, 07:52 AM |
| Cracking the password is very difficult however, you should definitely change the port as someone mentioned earlier. However, in order to reduce the bandwidth usage such an attack consumes, there is nothing you can do from the server side. I would have noted the subnets the attack is arriving from and have asked my Data Center Enggs. to block them on the router which could make a difference with the bandwidth usage.
|
| Posted by Hillockhosting, 05-02-2010, 10:09 AM |
| Install firewall like csf or APF and set the brute force limit to blok Ip after 10 wrong attempts.
This will definitely help.
|
| Posted by The_Dominator, 05-02-2010, 10:17 AM |
| although great on a Linux box - this is a windows server.
change the port for remotedeskotp login
keep the password as complex as possible.
if the IP is from a country like china - try to see if you can block the entire c class for a period of time. you can do this on the windows firwall built into server edition, and it depends what version of windows server you have.
if you can afford it get a sonic wall firewall and deploy the sonic wall
also, do not under estimate your password cant be hacked if they have been at it for 24 - 36 hours - and might not stop til they get in - this could be in 7 - 10 - 15 -- you should try to find a way to deflect this attack - not only to save you on bandwidth charges
|
| Posted by SafeSrv, 05-02-2010, 10:20 AM |
| Best practice is usually changing the port and restrict to a VPN.
|
| Posted by plumsauce, 05-02-2010, 02:24 PM |
| Actually, it does help with bandwidth.
Automated attacks move on when no response is received after a few attempts.
|
| Posted by Adrian Andreias, 05-02-2010, 03:08 PM |
| We change the standard ports and fix this kind of problems. Any machine that comes alive on the Internet will start to be scanned in a matter of minutes.
And if you're managing a large amount of servers you can run RDC just on a local address port (and connect via another server or similar).
And about some of the responses, I wonder if people actually read & understand the initial post.
|
| Posted by madlymasterful2018, 05-03-2010, 01:16 AM |
| Yes, even most of the hosts suspends your account for a while after continuous wrong passwords are inserted in.
So Brute Force do not works that fine for hackers...With Brute Force it might need seconds, minutes or may take decades and not get any results to hackers...So this way of hacking is not performed by professional or highly experienced hackers. These are mainly used by kids or newbie in hacking field.
|
| Posted by hcmc, 05-04-2010, 02:05 PM |
| OK, changed the port; though I wonder if a port scan could still figure out where terminal services is listening. At least now it's more difficult to find.
Also, I figured out how to reduce the bandwidth enormously in case anyone finds the new port and tries that certain dumb-nuts attack again. The server dishes out a large bitmap each time you try to log on, and that was costing me all the money. A registry setting can suppress the bitmap. It's not all good, since that bitmap serves as a weak sort of confirmation that it's really my server. If my ISP was compromised and someone was intercepting traffic to snag passwords, they would at least need to take the trouble to identify and capture my bitmap screen to fool me -- if there was one. But maybe the port change helps on that too.
I used to get hackers trying to log on all the time from China and everywhere. Usually it seems that they just try the ten obvious passwords and move on. This certain 24-hour attack came from Florida.
|
| Posted by arun_kris, 05-05-2010, 01:07 AM |
| Are you still using 'Administrator' user? I'd suggest you to rename the 'Administrator' user to some other names. Most of our clients servers have 'administrator' user renamed and it saved a lot. If you are really concerned about security and want to protect your server please install a third party firewall and restrict access only to certain ip's for establishing connections. Hope this helps.
Thanks!
|
| Posted by foglifter, 08-02-2010, 11:30 AM |
| Any advice for Remote Desktop connections using Apple's RD client? It does not allow you to change the port from 3389. I'm getting a lot of attempts with user names that don't exist on our network ('Admin', etc) so its more annoying than anything else.
|
| Posted by lifewithcause, 05-08-2014, 03:34 PM |
| Sorry for bumping a quite old thread. I fail to understand why cannot be a a CSF like firewall built for Windows? I see thousands of Bruteforce daily on my servers, a CSF like solution for Windows is needed!
|
| Posted by (Stephen), 05-08-2014, 04:15 PM |
| windows has a good firewall built in, and I'd recommend locking down to known IPs to access the RDP port.
|
| Posted by lifewithcause, 05-08-2014, 04:19 PM |
| We do that already but on Windows problem is not limited to RDP, we daily see attacks on MYSQL, MSSQL, FTP, SMTP, to mention few.
|
| Posted by thund3rbolt, 05-09-2014, 06:54 PM |
| firewall out all ips from remote desktop except yours or safe ones
|
| Posted by jackpx, 05-09-2014, 08:19 PM |
| Change port for rdp, sql server, mysql
|
| Posted by lifewithcause, 05-10-2014, 02:05 AM |
| Are you serious?
|
| Posted by jackpx, 05-10-2014, 11:08 PM |
| Yes, if you keeps the standart ports RDP and SQL Server will then be hacked, your server will brute force constants. If standart ports are closed then it will add a lot of security to your server.
You change in centos port 22 (ssh) of your server? You can also do it in Windows.
|
| Posted by prashant1979, 05-11-2014, 12:44 PM |
| Use RDPGuard which is a commercial software but effective in blocking Brute Force Attacks on Remote Desktop. Moreover it works also for SQL server. You need to keep Windows Firewall on.
|
| Posted by A Help, 08-07-2014, 12:47 PM |
| RDPGuard looks great. thanks for posting!
I have used QaasWall. It seemed like it helped, but the login attempts were relentless so I had to switch to GoToAssist.
I could have paid for Forefront Threat Management Gateway as well. But I haven't tried using it for protecting RD or SQL, or etc.
Others I have seen:
IPBan
Cyberarms
Syspeace
Eguardo
|
Add to Favourites 
Print this Article
Also Read
