Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Need Windows RDP "fail2ban" software
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need Windows RDP "fail2ban" software

myhkenmyhken Member
edited February 2017 in General

I'm looking for some kind of "fail2ban" software for some of my Windows RDC servers. I have found some links, but most of them is old. So I'm asking here if anybody is using or know of any good program to use. I have found http://rdpguard.com/ but the price per server is $80, so I'm looking for something cheaper or free.

Most of my servers has IP block on all other IPs then my VPN IPs. Still I have some servers that I need to be "open" without just my VPN IPs.
In the event log of thees servers, I can see lots of 4625 failed logon attempts.

«1

Comments

  • pechspilzpechspilz Member
    edited February 2017

    I'm using a powershell script I've found somewhere. It periodically scans the event log and blocks IPs using the internal firewall if more than n attempts have been made within a time range.

  • Something you want to share?

  • internal firewall is the cheapest and i found effective. Allow only good ip's. and if some are dynamic then start using dynamic ip.

  • Is tunneling via SSH an option?

    Security wise that will be very nice:

    Run SSHD on your Windows machine (something like Bitvise SSH Daemon - free for personal use). Set up SSH to allow you to login via public key (preferably). Setup RDP to only allow localhost to connect (via Windows firewall).

    You should be all set - only way to connect is to login via SSH and then tunnel into RDP (Bitvise also allows some settings to allow/automate this sort of RDP tunneling nicely I think).

    By running SSHD on some non standard port you should also be able to reduce the nuisance logs of script/bots. Of course you can sleep well if you only allow public key logins :-)

    Thanked by 1switsys
  • simonindiasimonindia Member
    edited February 2017

    Just change the port of RDP and use the included firewall in the windows

    I have changed mine to 4454 Random attacks will stop

    Block RDP ports that are open 3389

    Link https://kb.iweb.com/hc/en-us/articles/230242388-Change-the-Remote-Desktop-Connection-port-to-your-Windows-Server

    Thanked by 2myhken switsys
  • @nullnothere as mention on some of my servers I need to be able to logon from anywhere at all time, so can't have keys etc. Or do I misunderstand you?

  • mikhomikho Member, Host Rep

    Duo Security, not really fail2ban, more like 2Factor.

    free for 10 (?) users, works on many platforms. If you use the push option instead of phone or SMS verification, it's free forever.

    You can use the same service to 2Factor ssh connections, use the same username (or 10 different) and you would be able to use it almost everywhere.

    Here are the Docs for setting it up for RDS
    https://duo.com/docs/rds

    Thanked by 1isalem
  • @simonindia said:

    some don't have that option if there are behind cooperate firewall.

  • @simonindia said:

    I have changed mine to 4454 Random attacks will stop

    now i know where to knock :)

    Thanked by 1netomx
  • mikhomikho Member, Host Rep

    @ehab said:

    @simonindia said:

    some don't have that option if there are behind cooperate firewall.

    If you are behind a corporate firewall you probably don't have access from the outside anyways ;)

    Thanked by 1switsys
  • @mikho said:

    at least they allow some essential ports, and i can hop and hop and hop until no more then i give up.... or will i

  • @myhken - if you want to be able to login without keys, just setup SSHD to allow password logins (so you can login from wherever). Of course you'll also need to have an SSH client on those machines (should be simple even to download something like Putty on demand/need).

    You can/should also change the default port of SSHD to something more obscure (to prevent the automated bots/scripts).

    You should be all set.

    I prefer this approach as I (generally) have more faith in SSH (with keys mind you) than in other protocols (esp. with Windows).

    @simonindia's approach is the "simpler" approach but I still feel much more comfortable with a good/complex password over SSH and then tunneling to RDP.

    Thanked by 1myhken
  • @mikho said:

    just drinking coffee and this reminded me of https://ngrok.com/

  • @ehab said:
    now i know where to knock :)

    No you don't I have explicitly added only hand full IP's where i can access

    @ehab said:
    some don't have that option if there are behind cooperate firewall.

    Of course you don't
    But for penetrating an corporate firewall there are more tricks than this

  • simonindiasimonindia Member
    edited February 2017

    @simonindia's approach is the "simpler" approach but I still feel much more comfortable with a good/complex password over SSH and then tunneling to RDP.

    What can i say this trick served me well but i have tried ssh on windows but as far as my exp goes its some times impossible get rid of trace in systems where the putty or cygwin may reside

    In my former office i used to login to my home PC in front of everyone with out any hassle so no one noticed that i did some thing i never should

  • joepie91joepie91 Member, Patron Provider

    @simonindia said:
    Just change the port of RDP and use the included firewall in the windows

    I have changed mine to 4454 Random attacks will stop

    Block RDP ports that are open 3389

    Link https://kb.iweb.com/hc/en-us/articles/230242388-Change-the-Remote-Desktop-Connection-port-to-your-Windows-Server

    I don't know why people are still spreading this nonsense. Changing your port does not prevent bruteforce attacks. 65536 ports is a tiny keyspace to scan, and it happens regularly. This kind of security through obscurity absolutely will not protect your server.

    Thanked by 3myhken lazyt the_doctor
  • @joepie91 said:

    @simonindia said:
    Just change the port of RDP and use the included firewall in the windows

    I have changed mine to 4454 Random attacks will stop

    Block RDP ports that are open 3389

    Link https://kb.iweb.com/hc/en-us/articles/230242388-Change-the-Remote-Desktop-Connection-port-to-your-Windows-Server

    I don't know why people are still spreading this nonsense. Changing your port does not prevent bruteforce attacks. 65536 ports is a tiny keyspace to scan, and it happens regularly. This kind of security through obscurity absolutely will not protect your server.

    I agree but automated attacks mostly scan commonly used ports and I know you dis-agree so lets leave that to it

    Peace :)

  • ehabehab Member
    edited February 2017

    @simonindia said:

    give me your ips :P now

    sorry, just ignore me, i feel goofy today and best to stay away.

    have a nice weekend.

  • Don't know if I got smarter so far... will a "fail2ban" script or software do the job and if so, what to use. On at least one server I want to be able to login on any computer without installing any thing on the client. Of course the 2 factoring software can be something.

  • why rdp and not anydesk or teamviewer ?

  • @djn at least teamviewer depends on software installed on the client. So thats a no go. Remote Desktop client is standard on all Windows installations.

  • mikhomikho Member, Host Rep

    @ehab said:

    @mikho said:

    at least they allow some essential ports, and i can hop and hop and hop until no more then i give up.... or will i

    That requires you to open the connection from the inside.

    I recently worked with a company that initially blocked everything from the inside to Internet.
    From there only some ports and/ip where opened when needed.

    Port 80 and 443 was open but anything else had to be approved.

    Where I work now, the guest wifi only allows traffic on port 80 and 443. Games and other stuff that requires other ports are blocked.

  • joepie91joepie91 Member, Patron Provider

    @simonindia said:
    automated attacks mostly scan commonly used ports

    Yes, and that's precisely the problem right there. Blocking most scans is completely and utterly worthless; you only need to get owned once.

    If you're only using a changed port as your only defence, you will get owned anyway, it'll just take an hour instead of 5 minutes. If you're using other methods to protect your system, then at best your port change is useless, and at worst it will be a massive inconvenience because some tools assume standard ports.

    In other words: it doesn't matter what the situation is, it's always terrible advice. Please stop handing it out to people and getting them compromised as a result.

    Thanked by 1Yura
  • @joepie91 - I beg to differ/clarify (on) a few points (based on my own experience)

    1. Changing of the ports is NOT for security - it is to prevent unwanted attention/attempts (etc.).

    2. Changing the ports will not in any way "improve" the security of the system/setup.

    (we are in agreement here).

    What the above does though is reduce the volume of attacks quite considerably (it takes care most of the scripted bots that try a whole subnet/ip-range on a specific port in a linear fashion). It does NOT protect you from someone who is focused on your specific IP and will try all ports on that IP.

    What it also does is reduce the "noise" in the logs (if you have them/keep them) on these kinds of nuisances. This is especially useful if you do not have other protective methods.

    For example, if one cannot effectively firewall a port (but it can be changed), it's a useful counter measure to just move it to a random port. It reduces the "spam" by ~90-99%.

    I think most of us understand this pretty well and just want to focus our own energies on the actual problems rather than on the noise that is generated by the many useless attempts. By moving the port away, I reduce the noise and I can "focus" on doing more important things (including locking down the system in a more effective manner).

    Of course if I had the option of only allowing some IPs to even reach my IP, that would be my preferred first line of defence - but many times that is not an option and so the port change is a good deterrent/alternative - think of it as a lock on a door - it is going to prevent the "casual" snooper (i.e. 99%) but it is not going to prevent the determined attacker. None of us think (or should think) the lock is everything - it is merely the first line of defence.

    Again - I agree with you on having more/better security measures in place but that does NOT mean one should NOT also obfuscate the port.

    Thanked by 1switsys
  • @joepie91 said:

    @simonindia said:
    automated attacks mostly scan commonly used ports

    Yes, and that's precisely the problem right there. Blocking most scans is completely and utterly worthless; you only need to get owned once.

    If you're only using a changed port as your only defence, you will get owned anyway, it'll just take an hour instead of 5 minutes. If you're using other methods to protect your system, then at best your port change is useless, and at worst it will be a massive inconvenience because some tools assume standard ports.

    I never suggested any where that you the port change for what ever the service will be the only defence

    In other words: it doesn't matter what the situation is, it's always terrible advice. Please stop handing it out to people and getting them compromised as a result.

    I can't stop but in future i will ask people not to consider this an "only defense" in your words

    It's not terrible advice my friend its just mere a filter to avoid unwanted noise and bots.

    I know that you are good at something but the one thing you lack is how to be make your statements less rude

    I take no offence but it may filter the good thing you are trying your best to say.

  • I'm kind of unused to that windows/rdp stuff so please allow a basic question ;-) Which place or logfile do you look for or get the failed login attempts from?

    Thanked by 1vimalware
  • joepie91joepie91 Member, Patron Provider
    edited February 2017

    nullnothere said: Changing of the ports is NOT for security - it is to prevent unwanted attention/attempts (etc.).

    "Preventing attempts" should not be a thing you need. It's an irrelevant metric.

    nullnothere said: It does NOT protect you from someone who is focused on your specific IP and will try all ports on that IP.

    I am not talking about targeted attacks. I am talking about internet-wide scans, which are not limited to a single port either.

    nullnothere said: What it also does is reduce the "noise" in the logs (if you have them/keep them) on these kinds of nuisances.

    This is a common argument, but also completely unnecessary. The only things you should need to care about in your logs are successful attempts. Every failed attempt is noise, and there's not really a point in logging them (in non-verbose mode) in the first place. So again, not a good reason.

    nullnothere said: This is especially useful if you do not have other protective methods.

    If you do not have any other protection, then you've already lost. No amount of port changing is going to help here. You've fucked up, you're already done for. So no, also not a valid reason.

    nullnothere said: I think most of us understand this pretty well and just want to focus our own energies on the actual problems rather than on the noise that is generated by the many useless attempts.

    Grep your logs. Done. Problem solved. No port changing required.

    nullnothere said: By moving the port away, I reduce the noise and I can "focus" on doing more important things (including locking down the system in a more effective manner).

    This "noise" in no way gets in your way nor does it prevent you from locking down the system effectively.

    nullnothere said: Of course if I had the option of only allowing some IPs to even reach my IP, that would be my preferred first line of defence - but many times that is not an option and so the port change is a good deterrent/alternative

    No, it isn't. One is a restrictive security measure, the other is security through obscurity. They're not even in the same category of things, let alone one being an "alternative" to the other. One works, the other does not in the slightest.

    nullnothere said: it is going to prevent the "casual" snooper (i.e. 99%) but it is not going to prevent the determined attacker.

    You do not understand how internet-wide scans work or who perpetrate them. This statement is complete and utter nonsense.

    nullnothere said: but that does NOT mean one should NOT also obfuscate the port.

    Yes, it absolutely does.

    simonindia said: I never suggested any where that you the port change for what ever the service will be the only defence

    And like I've said explicitly, because I expected you to bring up this point, it doesn't matter whether it's your only defense or not, it is always bad advice.

    simonindia said: It's not terrible advice my friend its just mere a filter to avoid unwanted noise and bots.

    See above, this is a nonsense reason for reasons I've already explained. And yes, it is terrible advice. Stop spreading this kind of feel-good security bullshit.

    simonindia said: I know that you are good at something but the one thing you lack is how to be make your statements less rude

    I have no intention of being "less rude". I have an intention of killing this kind of security theater BS. Being direct about it without compromise is the most effective approach for that, and if that makes me come across as rude, then so be it. Not my problem.

    simonindia said: I take no offence but it may filter the good thing you are trying your best to say.

    No, it doesn't, quite the contrary. When people are convinced of the magical security properties of a port change, there are two options: either 1) confront it head-on and point it out as the bullshit it is, or 2) try to bring it subtly and get ignored completely because feel-good security does just that - it makes you feel good about your perceived "security".

    Option 2 is what most of the infosec community has been trying to do for two decades now, and I think it's clear that it hasn't worked. I don't think I need to point out what option I chose.

  • @myhken said:
    I'm looking for some kind of "fail2ban" software for some of my Windows RDC servers.

    Have a loot at this: https://github.com/glasnt/wail2ban

    I use it a few windows boxes myself.

    Thanked by 3myhken ehab Falzo
  • @Falzo in the Event Viewer and under the Security tab. Then look for Audit Failure and EventID 4925

    Thanked by 2Falzo netomx
  • raindog308raindog308 Administrator, Veteran

    joepie91 said: And yes, it is terrible advice.

    The benefit may be debatable, but 'terrible' is too strong. You make it sound like changing ports weakens security and it doesn't.

    joepie91 said: Every failed attempt is noise, and there's not really a point in logging them (in non-verbose mode) in the first place.

    That is untrue. There are many reasons one may want to log people who are trying to attack/brute you.

    There really isn't one-size-fits-all security.

    Thanked by 2switsys Maounique
Sign In or Register to comment.