New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Windows VPS Security Issues
Hope someone can help me on this.
I am struggling with security of the Windows VPS running windows 2008 R2. I am not an expert on it so all I need a simple VPS for minor stuff.
From my side, I've disable admin account and created a complex username with admin rights + port changed for the RDP but still it is being attached continuously. Is there a software which will ban the IP once it tries to login for more than 2 attempts?
I just wonder how can they find out new ports and username?
I've tried account lock out feature but it is not that helpful as it locks me out as well.
Thanks
Comments
If your main concern is about security, you shouldn't use Windows 2008 at the first place, do upgrade to 2012 or 2016 that is not @EOL
No need to disable Administrator account, you can change its username via local policy.
Usually, complex password + custom username + custom port will dodge most of the basic attack, so you would be fine
If you want another layer of security, you can try to limit access to a specific IPs (such as your home IP, or a VPN).
You can try 2FA for Windows by Duo (https://duo.com/docs/rdp), it's free for personal usage (at least from when this post submitted).
You can also try setting up AD, would not recommend for 'simple VPS'.
You can use sshd_block which is like fail2ban for Windows. It's free.
https://serverfault.com/questions/43360/cygwin-sshd-autoblock-failed-logins/43900#43900
Once caveat though, because of changes to the events logged by Windows when using the TLS/SSL security layer for RDP this script is became increasingly ineffective as Microsoft omit the IP address of the host attempting to authenticate. More about this issue here:
https://github.com/EvanAnderson/ts_block/issues/14
By the way I don't understand how account lock out feature locks you out as well. Because only you know the username or you are saying that sometimes you also enter wrong password which results in account being locked?
So I've set out account lock out after 3 failed attempts. I am guessing somehow my username has been figured out by someone and they tried 3 attempts to login and it got locked. Now I cannot login with the correct password either as account is locked. I'd have thought that if you use correct password, it should let us in, but this is not the case.
Since the OP says he is still ”attacked”, changing ports doesn’t help much more then to delay finding the right port.
This (and locking down to IP) is the best option that you suggested.
Adding a 2FA with push notice to your smartphone is free from DUO.
You get some credits when signing up for sms/calls but that will run out fast if someone tries to login using your username.
If someone else finds out the username, logins for that user are blocked for X minutes after number of failed logins.
Even if you enter the correct password, the account is locked out and wont allow logons.
Yeah this finding out username doesn't make any sense to me. If I create a new user mk92349fmvfdfk34 then how will someone know about it?
Brute force attack?
Orrrrrrrrrrr we can just use teamviewer or anydesk and completely disable rdp for a while until the attack stopped.
Highly doubt any "mass" attacks would brute force custom ports though.
If the account is locked, it is locked.
Won’t allow local or remote logins.
If that is the case, I don't think account lock would be a good way either since it could lock @OP out of his own server as well.
You need RdpGuard (https://rdpguard.com)
I also have a Windows 2016 VPS but never had this problem. Probably you rubbed mafia the wrong way. It is possible that they are using LDAP browser to view users although I am not sure if it works without AD. I am not on my PC right now, will test and let you know in a few hours.
Thanks guys. Will try some of the suggestions.
But I mean how a username can be found out? They can brute force on specific port with listed usernames etc. but for surely finding something like b7xnfdh90m is not worth trying when port is unique as well.
I just read your question, You are facing critical issue. security is the biggest issue which occur in every business process. best option contact them where you bought window vp. they can solve all these issues
Probably they wont help unless it is a managed VPS
Trash it and install Linux. Sorted. :-p
Check may be your PC is compromised. By the way I tested LDAP browser and it didn't reveal any user.
Depending on how the server is secured, there are a couple of remote commands that you can run to get information on the system.
Best way is to block all incomming traffic and only open the ports that you really need.
I've banned the IPs in Windows Firewall (China, Russia) and that has solved the problem ... for the time being at least. Thanks.
Paid more money them