New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Whitelist your own IP address and block all others.
or if dynamic ip, get a cheap VPS install wireguard and white list the wireguard ip
I combine that with ipban.com and keeps the usual bots away.
Port number change is just obscure in the name of security.
Combined with Duo it should be OK.
Its tempting to use Administrator account, avoid as much as possible...
I have an openVPN server running on my router at home. The Windows dedicated server connects to it as a client at startup, and the tunnel is set as 'private'. I only allow RDP for 'private' profile in the server's firewall.
RDPGuard runs on the machine you are trying to protect, expensive, cyberarms makes free software that can block most of it, the database can crash though leaving the machine wide open from personal experience.
The best solution i had for free was cyberarms to collect the ips and a provider I used offered a firewall, I just imported all the ips into a list that dropped incoming packets from the ips in the list.
Microsoft's RDP has become so discredited that the only way to safely use it is to wrap its traffic in a VPN tunnel.
SSH Tunnel with RDP port forwarding? Bitvise makes a client that supports this directly.
https://bitvise.com/remote-desktop
just change rdp port, 3389/tcp is a easy target for bots as 22/tcp
Vpn it with zerotier
Install Tailscale on both devices, and allow RDP access only via Tailscale.
(Zerotier also works)
Change the port and use the firewall settings to allow only whitelisted IPs on the RDP port.
Anyone know how to add TFA in RDP?
Duo.com
I think changing the default port 3389 to another port is pretty safe.
I dont suggest that. Its security with obscurity... this will hardly offer any protection and it is definitely not 2FA
I use 110 chars password for RDP
Oo i see..
Change the port.
Thanks all. I have changed the RDP Port and used duo 2fa for login 😊. Works great
Can you share how to the setting 2fa duo? Link maybe?
Thanks.
I'd personally would just setup a VPN server and use that to remote
https://duo.com/docs/rdp
For most use cases, this is good enough. Most hacks are done with bots running port scan on the internet IPs in hopes of getting a hit. The usual port set is the defaults. So unless someone is performing a targeted attack, changing default ports are good enough.
Ofcourse using a VPN or setting up a 2FA is more secure, but then again, you have to ask yourself, what is the probability of you getting a targeted attack and what do you have to lose?
True - it all depends on how critical is the server/ data a user is keeping.
Its becoming more and more easy to gain scripts that scan a whole truckload of ports for script kiddies/ bots. Its a matter of time when switching port numbers will not mean much.
probability of targeted attacks --> these come at the least expected time and when you need access to your resource it will be a challenge.
here the OP seems to be interested in securing his RDP instance. Switching ports is just one of many items OP can do along with 2FA et all to gain some peace of mind... but switching ports doesn't do anything else...
and it becomes a problem when users rely on that obscurity as a critical control, and without that obscurity, the control fails.
Interesting, but i m confuse how to deal with local dynamic IP if ip change.
Port knocking is the way to go. (apt install knockd)
You run a script from task scheduler every five minutes and if IP changes, update firewall with PowerShell commands. If you Google for "ip detect update firewall PowerShell", I'm sure it won't take much time finding what you want.
The best solution is to change rdp port, and white list ip address, and block udp rdp.
if you can't use white list. the white list the isp (AS number) need exstra firewall to do it.
(if you don't block udp rdp , then it will be used for ddos amp)