Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How is it possible that someone can try to login via RDC when I have a IP block? - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How is it possible that someone can try to login via RDC when I have a IP block?

2»

Comments

  • Even in your first nmap output, it showed FileZilla as IP blocked, but not port 3389. For some reason, your IP restrictions on RDP were not getting enforced.

    If you've setup an external firewall you should do another port scan to confirm that RDP is not accessible from an unknown IP.

  • mikhomikho Member, Host Rep

    Is it possible that RpdGuard also reads thru the firewall entries? and adds things that are actually blocked by the firewall ?

  • mikhomikho Member, Host Rep

    found this on their website "It monitors the logs on your server and detects failed logon attempts."

    https://rdpguard.com/

    So it's possible that it only lists what other applications/services writes in the log files.

  • AnthonySmithAnthonySmith Member, Patron Provider

    start using certs for RDP, drop rdp guard, beef up firewall a touch, job done :)

  • @AnthonySmith I have tried Telnet from a couple of computers not on my IP list, and I never get access to the server using port 3389 and the login attempts is not mention in my Windows Security log, so it will not show up in RDP Guard either, since it uses the security log.

    @rincewind It's really impossible to connect with a RDP client not using my IP's on thees servers. Aslo tried with Telnet after a tip from @AnthonySmith

    I will PM you a IP for one of my servers, so you can test it your self.

  • AnthonySmith said: start using certs for RDP, drop rdp guard, beef up firewall a touch, job done :)

    Reading about applying certs to RDP now. Can be a good solution.

  • mikhomikho Member, Host Rep

    myhken said: Reading about applying certs to RDP now. Can be a good solution.

    also install duosecurity, it's free 2FA for RDP (among other things)

  • Just an update for future references. It had to be the port (2179) that Hyper-V opens that was the reason for my strange login attempts on my server.
    After I put a IP block on that port, there has been none new login attempts the last 14 days or so.

    Strange that Microsoft has created this security issue when you install Hyper-V on your server. And how a Hyper-V feature should impact on my RDC, but it's the case.

    So if you are using IP block on your RDP port on a Windows Server with Hyper-V, you must remember to block port 2179 also.

    Thanked by 2Falzo simonindia
Sign In or Register to comment.