New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Need Windows RDP "fail2ban" software
I'm looking for some kind of "fail2ban" software for some of my Windows RDC servers. I have found some links, but most of them is old. So I'm asking here if anybody is using or know of any good program to use. I have found http://rdpguard.com/ but the price per server is $80, so I'm looking for something cheaper or free.
Most of my servers has IP block on all other IPs then my VPN IPs. Still I have some servers that I need to be "open" without just my VPN IPs.
In the event log of thees servers, I can see lots of 4625 failed logon attempts.
Comments
I'm using a powershell script I've found somewhere. It periodically scans the event log and blocks IPs using the internal firewall if more than n attempts have been made within a time range.
Something you want to share?
internal firewall is the cheapest and i found effective. Allow only good ip's. and if some are dynamic then start using dynamic ip.
Is tunneling via SSH an option?
Security wise that will be very nice:
Run SSHD on your Windows machine (something like Bitvise SSH Daemon - free for personal use). Set up SSH to allow you to login via public key (preferably). Setup RDP to only allow localhost to connect (via Windows firewall).
You should be all set - only way to connect is to login via SSH and then tunnel into RDP (Bitvise also allows some settings to allow/automate this sort of RDP tunneling nicely I think).
By running SSHD on some non standard port you should also be able to reduce the nuisance logs of script/bots. Of course you can sleep well if you only allow public key logins :-)
Just change the port of RDP and use the included firewall in the windows
I have changed mine to 4454 Random attacks will stop
Block RDP ports that are open 3389
Link https://kb.iweb.com/hc/en-us/articles/230242388-Change-the-Remote-Desktop-Connection-port-to-your-Windows-Server
@nullnothere as mention on some of my servers I need to be able to logon from anywhere at all time, so can't have keys etc. Or do I misunderstand you?
Duo Security, not really fail2ban, more like 2Factor.
free for 10 (?) users, works on many platforms. If you use the push option instead of phone or SMS verification, it's free forever.
You can use the same service to 2Factor ssh connections, use the same username (or 10 different) and you would be able to use it almost everywhere.
Here are the Docs for setting it up for RDS
https://duo.com/docs/rds
some don't have that option if there are behind cooperate firewall.
now i know where to knock
If you are behind a corporate firewall you probably don't have access from the outside anyways
at least they allow some essential ports, and i can hop and hop and hop until no more then i give up.... or will i
@myhken - if you want to be able to login without keys, just setup SSHD to allow password logins (so you can login from wherever). Of course you'll also need to have an SSH client on those machines (should be simple even to download something like Putty on demand/need).
You can/should also change the default port of SSHD to something more obscure (to prevent the automated bots/scripts).
You should be all set.
I prefer this approach as I (generally) have more faith in SSH (with keys mind you) than in other protocols (esp. with Windows).
@simonindia's approach is the "simpler" approach but I still feel much more comfortable with a good/complex password over SSH and then tunneling to RDP.
just drinking coffee and this reminded me of https://ngrok.com/
No you don't I have explicitly added only hand full IP's where i can access
Of course you don't
But for penetrating an corporate firewall there are more tricks than this
What can i say this trick served me well but i have tried ssh on windows but as far as my exp goes its some times impossible get rid of trace in systems where the putty or cygwin may reside
In my former office i used to login to my home PC in front of everyone with out any hassle so no one noticed that i did some thing i never should
I don't know why people are still spreading this nonsense. Changing your port does not prevent bruteforce attacks. 65536 ports is a tiny keyspace to scan, and it happens regularly. This kind of security through obscurity absolutely will not protect your server.
I agree but automated attacks mostly scan commonly used ports and I know you dis-agree so lets leave that to it
Peace
give me your ips :P now
sorry, just ignore me, i feel goofy today and best to stay away.
have a nice weekend.
Don't know if I got smarter so far... will a "fail2ban" script or software do the job and if so, what to use. On at least one server I want to be able to login on any computer without installing any thing on the client. Of course the 2 factoring software can be something.
why rdp and not anydesk or teamviewer ?
@djn at least teamviewer depends on software installed on the client. So thats a no go. Remote Desktop client is standard on all Windows installations.
That requires you to open the connection from the inside.
I recently worked with a company that initially blocked everything from the inside to Internet.
From there only some ports and/ip where opened when needed.
Port 80 and 443 was open but anything else had to be approved.
Where I work now, the guest wifi only allows traffic on port 80 and 443. Games and other stuff that requires other ports are blocked.
Yes, and that's precisely the problem right there. Blocking most scans is completely and utterly worthless; you only need to get owned once.
If you're only using a changed port as your only defence, you will get owned anyway, it'll just take an hour instead of 5 minutes. If you're using other methods to protect your system, then at best your port change is useless, and at worst it will be a massive inconvenience because some tools assume standard ports.
In other words: it doesn't matter what the situation is, it's always terrible advice. Please stop handing it out to people and getting them compromised as a result.
@joepie91 - I beg to differ/clarify (on) a few points (based on my own experience)
Changing of the ports is NOT for security - it is to prevent unwanted attention/attempts (etc.).
Changing the ports will not in any way "improve" the security of the system/setup.
(we are in agreement here).
What the above does though is reduce the volume of attacks quite considerably (it takes care most of the scripted bots that try a whole subnet/ip-range on a specific port in a linear fashion). It does NOT protect you from someone who is focused on your specific IP and will try all ports on that IP.
What it also does is reduce the "noise" in the logs (if you have them/keep them) on these kinds of nuisances. This is especially useful if you do not have other protective methods.
For example, if one cannot effectively firewall a port (but it can be changed), it's a useful counter measure to just move it to a random port. It reduces the "spam" by ~90-99%.
I think most of us understand this pretty well and just want to focus our own energies on the actual problems rather than on the noise that is generated by the many useless attempts. By moving the port away, I reduce the noise and I can "focus" on doing more important things (including locking down the system in a more effective manner).
Of course if I had the option of only allowing some IPs to even reach my IP, that would be my preferred first line of defence - but many times that is not an option and so the port change is a good deterrent/alternative - think of it as a lock on a door - it is going to prevent the "casual" snooper (i.e. 99%) but it is not going to prevent the determined attacker. None of us think (or should think) the lock is everything - it is merely the first line of defence.
Again - I agree with you on having more/better security measures in place but that does NOT mean one should NOT also obfuscate the port.
I never suggested any where that you the port change for what ever the service will be the only defence
I can't stop but in future i will ask people not to consider this an "only defense" in your words
It's not terrible advice my friend its just mere a filter to avoid unwanted noise and bots.
I know that you are good at something but the one thing you lack is how to be make your statements less rude
I take no offence but it may filter the good thing you are trying your best to say.
I'm kind of unused to that windows/rdp stuff so please allow a basic question ;-) Which place or logfile do you look for or get the failed login attempts from?
"Preventing attempts" should not be a thing you need. It's an irrelevant metric.
I am not talking about targeted attacks. I am talking about internet-wide scans, which are not limited to a single port either.
This is a common argument, but also completely unnecessary. The only things you should need to care about in your logs are successful attempts. Every failed attempt is noise, and there's not really a point in logging them (in non-verbose mode) in the first place. So again, not a good reason.
If you do not have any other protection, then you've already lost. No amount of port changing is going to help here. You've fucked up, you're already done for. So no, also not a valid reason.
Grep your logs. Done. Problem solved. No port changing required.
This "noise" in no way gets in your way nor does it prevent you from locking down the system effectively.
No, it isn't. One is a restrictive security measure, the other is security through obscurity. They're not even in the same category of things, let alone one being an "alternative" to the other. One works, the other does not in the slightest.
You do not understand how internet-wide scans work or who perpetrate them. This statement is complete and utter nonsense.
Yes, it absolutely does.
And like I've said explicitly, because I expected you to bring up this point, it doesn't matter whether it's your only defense or not, it is always bad advice.
See above, this is a nonsense reason for reasons I've already explained. And yes, it is terrible advice. Stop spreading this kind of feel-good security bullshit.
I have no intention of being "less rude". I have an intention of killing this kind of security theater BS. Being direct about it without compromise is the most effective approach for that, and if that makes me come across as rude, then so be it. Not my problem.
No, it doesn't, quite the contrary. When people are convinced of the magical security properties of a port change, there are two options: either 1) confront it head-on and point it out as the bullshit it is, or 2) try to bring it subtly and get ignored completely because feel-good security does just that - it makes you feel good about your perceived "security".
Option 2 is what most of the infosec community has been trying to do for two decades now, and I think it's clear that it hasn't worked. I don't think I need to point out what option I chose.
Have a loot at this: https://github.com/glasnt/wail2ban
I use it a few windows boxes myself.
@Falzo in the Event Viewer and under the Security tab. Then look for Audit Failure and EventID 4925
The benefit may be debatable, but 'terrible' is too strong. You make it sound like changing ports weakens security and it doesn't.
That is untrue. There are many reasons one may want to log people who are trying to attack/brute you.
There really isn't one-size-fits-all security.