New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Even in your first
nmap
output, it showed FileZilla as IP blocked, but not port 3389. For some reason, your IP restrictions on RDP were not getting enforced.If you've setup an external firewall you should do another port scan to confirm that RDP is not accessible from an unknown IP.
Is it possible that RpdGuard also reads thru the firewall entries? and adds things that are actually blocked by the firewall ?
found this on their website "It monitors the logs on your server and detects failed logon attempts."
https://rdpguard.com/
So it's possible that it only lists what other applications/services writes in the log files.
start using certs for RDP, drop rdp guard, beef up firewall a touch, job done
@AnthonySmith I have tried Telnet from a couple of computers not on my IP list, and I never get access to the server using port 3389 and the login attempts is not mention in my Windows Security log, so it will not show up in RDP Guard either, since it uses the security log.
@rincewind It's really impossible to connect with a RDP client not using my IP's on thees servers. Aslo tried with Telnet after a tip from @AnthonySmith
I will PM you a IP for one of my servers, so you can test it your self.
Reading about applying certs to RDP now. Can be a good solution.
also install duosecurity, it's free 2FA for RDP (among other things)
Just an update for future references. It had to be the port (2179) that Hyper-V opens that was the reason for my strange login attempts on my server.
After I put a IP block on that port, there has been none new login attempts the last 14 days or so.
Strange that Microsoft has created this security issue when you install Hyper-V on your server. And how a Hyper-V feature should impact on my RDC, but it's the case.
So if you are using IP block on your RDP port on a Windows Server with Hyper-V, you must remember to block port 2179 also.