How is it possible that someone can try to login via RDC when I have a IP block?
I have seen some strange thing on several of my Windows Server 2012 R2 servers. In my Firewall I have restricted IP access for all RDC protocols to just three IP's, my own IP's. When I try to login via RDC from any other computer not using thees three IP's, I can't even get the login screen. And if I fill out the username (Administrator) I just get an Windows error:
Thats good. Checking the event log, is not showing this login attempts under security.
So it's seems like when somebody is trying to login not using my IP's, it do not count as a failed login attempt. It just get rejected.
But here start my issue. Almost every day my log has several failed login attempts from IP's that not belong to me. So how can they get access to try login on my servers, when I can't get this from any of my other servers/computers?
I have a really strong password, but still, how do they get access to try a login at all? What are I'm missing in my settings?
The IP's is set in both RDC for private networks and public networks.
Can you post the security log entry?
Of course, this is one of them:
Do you have other WAN facing services that use NTLM on the server? It's possible to probe on other ports for creds.
One thing that may help you in the future. There is a specific eventid logged on a successful RD session, if you forward your logs you can setup notifications for when an active successful connection is established. This is what I did for public facing Windows machines that I couldn't alter as an auditing measure.
what you have in the logs are a failed login attempt. It's not certain that the user on the other side has tried to connect on your RDP port.
It could be over SMB, HTTP etc ....
@Riz I have no other WAN facing services, if they are not activated by default in Win Server 2012 R2. I have applied RDP Guard so after 3 failed login attempts they get blocked. Still, I don't understand why they get access at all, since no of my failed login attempts from my other computers is mention in the log.
@mikho My RDP Guard software tells me that it was the RDC protocol they used.
That info wasn't included in your first reply.
Setup 2FA with something like duo https://duosecurity.com and forget all about it.
@mikho - still, I like to find out why someone can try to login without using my approved IP's. How do they do it? Since I can't manage to replicate the attempts my self. Why do not my login attempts from server not using my approved IP's not appear in my log, but thees other login attempts is? Something strange is happening. And it's not on just one server, it's on several other servers also.
care to explain what firewall you are talking about? maybe that should be the starting point ;-)
@Falzo ofcourse...it's just the standard Windows firewall.
To properly answer your question we need to know more about your setup.
What firewall is used?
What other software are in use?
Events from all event logs around the time of the connection attempt.
Stuff line that
@mikho as mention right over your post, I'm using Windows Firewall.
I have checked all logs, and the only other entry at the same time, or around the same time as the failed login is this:
The PC20 refers to the same entry as that I mention before.
Other than that, nothing happened on my server at the same time. So it was just a failed login attempt.
I'm running Hyper-V on the server. I have a FileZilla Server on it, also with IP block. I'm running Malwarebytes on it, and thats it.
Have you changed the listening port ?
Screenshots of your firewall rules?
@mikho I uses standard 3389 for RDP.
Is it safe to post all my firewall rules here on LET? I can say that the only thing I have changed beside just standard settings, is that under Scope under Remote Desktop User Mode (both TCP-IN and UDP-IN) have I added my allowed IP's. Thats it.
The other issue posting it, is that I'm using Norwegian Language Pack on my server, so everything is on Norwegian...
Port scan your server with
nmapto test your firewall. If your server has multiple IPs, try against each one. Some networks might automatically block against a dumb brute force scan though, so you might want to try it from within the OVH network or wherever.
@ricewind I have then used nmap, and this is the result:
Your firewall is mis-configured. Both ports 2179 and 3389 are RDP related. Too many open ports anyway.
If you need only a few ports anyways and run windows on a VM of your own, it may be reasonable to set it up NATted on a private IP. Forward only the needed ports and use iptables or alike on the hostnode to restrict those to the IPs you want to connect from.
That also should make it easy to change the port of e.g. RDP without the need of doing that inside windows ;-)
@rincewind Port 2179 is used by Hyper-V:
I did block Port 49152-49159, restarted my server, and just discovered that Windows then opened the same number of ports anyway, so it's clearly some feature Windows need. Still, there is not possible to connect to any of the open ports from other computers.
Can anybody else with a Windows Server 2012 R2 post their nmap results, so we can compare? I have tested several of my servers, and all have the same ports open, except 2179 that only servers that run Hyper-V have open.
@Falzo This is not VM's I talk about, it's my two main servers that I run several Hyper-V VM's on.
@ricewind @Falzo I have now installed a totally new and clean Windows Server 2012 R2 and as you can see, the same ports is open there, except 2179 that gets open after you install Hyper-V on the server. I have MSDN access, so I have always used only directly downloaded .iso files from MSDN.
Port 21 and 990 belongs to FileZilla server, so they are not on my fresh installed server.
So how is my firewall on my main servers mis-configured?
Since I'm Swedish, language won't be an issue
Windows Firewall lacks when it comes to logging. if you want to inspect the attack vectors closer, set some "better" firewall in front and log the traffic.
@mikho Nice to know. I think maybe I have one solution for the firewall.
Both Hetzner and OVH provides free Firewall on my main servers. So I have closed every thing, except port 3389 (rdc) and 21 and 990 (FileZilla FTP).
So then I just have to wait to see if the login attempts continues or if they stop
What makes you believe these are RDP based login attempts?
Thats what I've been asking since my first post.
@mykhen could have been so easy if it had been VMs ;-)
the idea with an external firewall maybe worth a try.
also I would agree with @AnthonySmith , if you have a ftp-server running that might be the target and not rdp ??
try and leave the ftp server off for a while, restrict rdp as you have done before in windows firewall (as this is supposed to work due to your own tests) and see if there are further login attempts happening.
@AnthonySmith @mikho Just because RDP Guard says it's RDP attempts. What else can it be?
@Falzo The RDP Guard also protect FTP, and after I activated FTP protection also, I still got a new RDP attempt:
@mykhen okay, I have been too slow, just tried to edit my post to add this:
to be more specific: even if rdpguard let it look like being login attempts to rdp it probably just greps through the security log for failed login entries and blocks away those IPs. I am not experienced enough with windows server though to tell if those entries may differ depending on the port or service that's been involved
but you are right, I overlooked it seems to have different options for RDP/FTP...
@Falzo I appreciate your inputs. So to be extra safe, I have in Hetzner firewall, just added one IP that can connect to FTP ports 21 and 990. The only computer that need FTP access is my home server. I have left it open on my OVH server, then time will tell if I get new entries in RDP Guard.
That logging is absolutely shite then haha, it does not give you more detailed logged somewhere?
That could just be someone hitting 3389 with a banner scanner looking for vulnerable servers, i.e. being blocked pre auth.
What happens if you telnet to port 3389 from another IP not in the list, does it show up in RDpGuard?