Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How is it possible that someone can try to login via RDC when I have a IP block?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How is it possible that someone can try to login via RDC when I have a IP block?

I have seen some strange thing on several of my Windows Server 2012 R2 servers. In my Firewall I have restricted IP access for all RDC protocols to just three IP's, my own IP's. When I try to login via RDC from any other computer not using thees three IP's, I can't even get the login screen. And if I fill out the username (Administrator) I just get an Windows error:

Thats good. Checking the event log, is not showing this login attempts under security.
So it's seems like when somebody is trying to login not using my IP's, it do not count as a failed login attempt. It just get rejected.

But here start my issue. Almost every day my log has several failed login attempts from IP's that not belong to me. So how can they get access to try login on my servers, when I can't get this from any of my other servers/computers?

I have a really strong password, but still, how do they get access to try a login at all? What are I'm missing in my settings?
The IP's is set in both RDC for private networks and public networks.

«1

Comments

  • Can you post the security log entry?

  • Of course, this is one of them:

    `-



    • 4625
      0
      0
      12544
      0
      0x8010000000000000

      44215


      Security
      OVH1


    • S-1-0-0
      -
      -
      0x0
      S-1-0-0
      Administrator
      37.187.xxx.xxx
      0xc000006d
      %%2313
      0xc000006a
      3
      NtLmSsp
      NTLM
      PC20
      -
      -
      0
      0x0
      -
      222.220.145.62
      58533

      `

  • Do you have other WAN facing services that use NTLM on the server? It's possible to probe on other ports for creds.

    One thing that may help you in the future. There is a specific eventid logged on a successful RD session, if you forward your logs you can setup notifications for when an active successful connection is established. This is what I did for public facing Windows machines that I couldn't alter as an auditing measure.

  • mikhomikho Member, Host Rep

    what you have in the logs are a failed login attempt. It's not certain that the user on the other side has tried to connect on your RDP port.
    It could be over SMB, HTTP etc ....

  • @Riz I have no other WAN facing services, if they are not activated by default in Win Server 2012 R2. I have applied RDP Guard so after 3 failed login attempts they get blocked. Still, I don't understand why they get access at all, since no of my failed login attempts from my other computers is mention in the log.

  • @mikho My RDP Guard software tells me that it was the RDC protocol they used.

  • mikhomikho Member, Host Rep

    @myhken said:

    @mikho My RDP Guard software tells me that it was the RDC protocol they used.

    That info wasn't included in your first reply.

    Setup 2FA with something like duo https://duosecurity.com and forget all about it.

    Thanked by 1pbgben
  • @mikho - still, I like to find out why someone can try to login without using my approved IP's. How do they do it? Since I can't manage to replicate the attempts my self. Why do not my login attempts from server not using my approved IP's not appear in my log, but thees other login attempts is? Something strange is happening. And it's not on just one server, it's on several other servers also.

  • myhken said: still, I like to find out why someone can try to login without using my approved IP's.

    myhken said: In my Firewall I have restricted IP access

    care to explain what firewall you are talking about? maybe that should be the starting point ;-)

  • @Falzo ofcourse...it's just the standard Windows firewall.

  • mikhomikho Member, Host Rep

    @myhken said:
    @mikho - still, I like to find out why someone can try to login without using my approved IP's. How do they do it? Since I can't manage to replicate the attempts my self. Why do not my login attempts from server not using my approved IP's not appear in my log, but thees other login attempts is? Something strange is happening. And it's not on just one server, it's on several other servers also.

    To properly answer your question we need to know more about your setup.
    What firewall is used?
    What other software are in use?
    Events from all event logs around the time of the connection attempt.

    Stuff line that

  • myhkenmyhken Member
    edited February 2017

    @mikho as mention right over your post, I'm using Windows Firewall.
    I have checked all logs, and the only other entry at the same time, or around the same time as the failed login is this:
    `-



    • 4776
      0
      0
      14336
      0
      0x8010000000000000

      44214


      Security
      OVH1


    • MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Administrator
      **PC20 **
      0xc000006a

      `
      The PC20 refers to the same entry as that I mention before.

    Other than that, nothing happened on my server at the same time. So it was just a failed login attempt.

    I'm running Hyper-V on the server. I have a FileZilla Server on it, also with IP block. I'm running Malwarebytes on it, and thats it.

  • mikhomikho Member, Host Rep

    Have you changed the listening port ?
    Screenshots of your firewall rules?

  • @mikho I uses standard 3389 for RDP.

    Is it safe to post all my firewall rules here on LET? I can say that the only thing I have changed beside just standard settings, is that under Scope under Remote Desktop User Mode (both TCP-IN and UDP-IN) have I added my allowed IP's. Thats it.
    The other issue posting it, is that I'm using Norwegian Language Pack on my server, so everything is on Norwegian...

  • Port scan your server with nmap to test your firewall. If your server has multiple IPs, try against each one. Some networks might automatically block against a dumb brute force scan though, so you might want to try it from within the OVH network or wherever.

  • @ricewind I have then used nmap, and this is the result:

  • Your firewall is mis-configured. Both ports 2179 and 3389 are RDP related. Too many open ports anyway.

  • If you need only a few ports anyways and run windows on a VM of your own, it may be reasonable to set it up NATted on a private IP. Forward only the needed ports and use iptables or alike on the hostnode to restrict those to the IPs you want to connect from.

    That also should make it easy to change the port of e.g. RDP without the need of doing that inside windows ;-)

  • myhkenmyhken Member
    edited February 2017

    @rincewind Port 2179 is used by Hyper-V:

    VMConnect to Hyper-V hosts, Port: 2179; Protocol: RDP—VMConnect is an application that's part of Hyper-V Manager and VMM; it lets you connect to a console session of a Hyper-V VM. By default VMConnect uses port 2179.

    I did block Port 49152-49159, restarted my server, and just discovered that Windows then opened the same number of ports anyway, so it's clearly some feature Windows need. Still, there is not possible to connect to any of the open ports from other computers.

    Can anybody else with a Windows Server 2012 R2 post their nmap results, so we can compare? I have tested several of my servers, and all have the same ports open, except 2179 that only servers that run Hyper-V have open.

    @Falzo This is not VM's I talk about, it's my two main servers that I run several Hyper-V VM's on.

  • @ricewind @Falzo I have now installed a totally new and clean Windows Server 2012 R2 and as you can see, the same ports is open there, except 2179 that gets open after you install Hyper-V on the server. I have MSDN access, so I have always used only directly downloaded .iso files from MSDN.

    Port 21 and 990 belongs to FileZilla server, so they are not on my fresh installed server.

    So how is my firewall on my main servers mis-configured?

  • mikhomikho Member, Host Rep

    @myhken said:
    The other issue posting it, is that I'm using Norwegian Language Pack on my server, so everything is on Norwegian...

    Since I'm Swedish, language won't be an issue :)
    Windows Firewall lacks when it comes to logging. if you want to inspect the attack vectors closer, set some "better" firewall in front and log the traffic.

  • @mikho Nice to know. I think maybe I have one solution for the firewall.
    Both Hetzner and OVH provides free Firewall on my main servers. So I have closed every thing, except port 3389 (rdc) and 21 and 990 (FileZilla FTP).
    So then I just have to wait to see if the login attempts continues or if they stop

  • AnthonySmithAnthonySmith Member, Patron Provider

    myhken said: But here start my issue. Almost every day my log has several failed login attempts from IP's that not belong to me. So how can they get access to try login on my servers

    What makes you believe these are RDP based login attempts?

    Thanked by 1Falzo
  • mikhomikho Member, Host Rep

    @AnthonySmith said:

    myhken said: But here start my issue. Almost every day my log has several failed login attempts from IP's that not belong to me. So how can they get access to try login on my servers

    What makes you believe these are RDP based login attempts?

    Thats what I've been asking since my first post. :)

  • FalzoFalzo Member
    edited February 2017

    @mykhen could have been so easy if it had been VMs ;-)

    the idea with an external firewall maybe worth a try.

    also I would agree with @AnthonySmith , if you have a ftp-server running that might be the target and not rdp ??

    try and leave the ftp server off for a while, restrict rdp as you have done before in windows firewall (as this is supposed to work due to your own tests) and see if there are further login attempts happening.

  • myhkenmyhken Member
    edited February 2017

    @AnthonySmith @mikho Just because RDP Guard says it's RDP attempts. What else can it be?

  • @Falzo The RDP Guard also protect FTP, and after I activated FTP protection also, I still got a new RDP attempt:

  • @mykhen okay, I have been too slow, just tried to edit my post to add this:

    to be more specific: even if rdpguard let it look like being login attempts to rdp it probably just greps through the security log for failed login entries and blocks away those IPs. I am not experienced enough with windows server though to tell if those entries may differ depending on the port or service that's been involved :/

    but you are right, I overlooked it seems to have different options for RDP/FTP...

  • @Falzo I appreciate your inputs. So to be extra safe, I have in Hetzner firewall, just added one IP that can connect to FTP ports 21 and 990. The only computer that need FTP access is my home server. I have left it open on my OVH server, then time will tell if I get new entries in RDP Guard.

  • AnthonySmithAnthonySmith Member, Patron Provider
    edited February 2017

    That logging is absolutely shite then haha, it does not give you more detailed logged somewhere?

    That could just be someone hitting 3389 with a banner scanner looking for vulnerable servers, i.e. being blocked pre auth.

    What happens if you telnet to port 3389 from another IP not in the list, does it show up in RDpGuard?

Sign In or Register to comment.