Dear:
Through this, request an immense collaboration.
I have 1 Rb 1100AHx2 with v. 6.44.1
- I made a NAT to port 3389 (Remote Desktop) to be able to access a computer from my local network.
- Checking the LOG, I detect that I am receiving enough attempts to access my computer through that port.
- I have already changed it, but I still receive attack attempts.
How could I protect myself from that?
I hope your help and help please.
Thank you
Attached image
Attempt of attacks through Remote Desktop
You do not have the required permissions to view the files attached to this post.
Re: Attempt of attacks through Remote Desktop
You can protect from that by not enabling RDP from the Internet. Basic security.
Those attempts are botnets, and Windows RDP is full of vulnerabilities, it will never be secure.
Those attempts are botnets, and Windows RDP is full of vulnerabilities, it will never be secure.
-
-
freemannnn
Forum Veteran
- Posts: 700
- Joined:
Re: Attempt of attacks through Remote Desktop
you can use firewall address list to allow rdp only for specific incoming ip's.
or
https://wiki.mikrotik.com/wiki/Brutefor ... prevention
or
https://wiki.mikrotik.com/wiki/Brutefor ... prevention
Re: Attempt of attacks through Remote Desktop
If the computer you are using to connect to RD is using dynamic IP you can setup a ddns for it and only allow it to connect using address list
Re: Attempt of attacks through Remote Desktop
As indicated one thing that one can do is only allowed known source WANIPs that want to connect on that port.
If you are connecting from a fixed place with a static IP that may be possible.
The other thing you can do is do port translation. In the example below you set the RDP port to 38910 on the client side
In other words
Change your IP NAT Rule from
add action=dstnat chain=dst-nat in-interface=eth1WAn dst=port=3389 \
protocol=TCP to=address=RDP_local_IP
TO
add action=dstnat chain=dst-nat in-interface=eth1WAn dst=port=38910 \
protocol=TCP to=address=RDP_local_IP to-ports=3389
I think thus in your remote desktop connection you would put under address
YourWANIP:38910
A step up in security would be to look up port knocking in the forum search for a method to gain access to the router and in this case the server based on a few hard to copy steps............
Finally the proper way to do security is to VPN into the router (to the LAN) and then RDP to your server.
If you are connecting from a fixed place with a static IP that may be possible.
The other thing you can do is do port translation. In the example below you set the RDP port to 38910 on the client side
In other words
Change your IP NAT Rule from
add action=dstnat chain=dst-nat in-interface=eth1WAn dst=port=3389 \
protocol=TCP to=address=RDP_local_IP
TO
add action=dstnat chain=dst-nat in-interface=eth1WAn dst=port=38910 \
protocol=TCP to=address=RDP_local_IP to-ports=3389
I think thus in your remote desktop connection you would put under address
YourWANIP:38910
A step up in security would be to look up port knocking in the forum search for a method to gain access to the router and in this case the server based on a few hard to copy steps............
Finally the proper way to do security is to VPN into the router (to the LAN) and then RDP to your server.
Re: Attempt of attacks through Remote Desktop
First ensure you have the latest updates to Win 7 or Win 10. Don't use older Operating Systems. Microsoft dropped the ball 3 times already where a hacker could send a specially crafted packet that would contain a command that would be executed under the System user. So without logging in, a hacker could add a user and promote it to an administrator. Then log in with that. Patches were released in May 2018. Since then, I've left a test VM exposed to the internet and so far it hasn't been hacked. But due to the disappointing track record, I would NOT trust RDP.
Some Options:
- Port Knock. Set a firewall rule that when you try to connect to port 3350 (or whatever), then add the source IP to an RDP_OK list with a timeout of 60 seconds. Only allow IPs on that list to access port 3389 (or even better, change that port). Next create another rule that says any TCP connection attempts to 3349 and 3351, put them on a BAN_LIST. Create another rule that says to drop all packets from a banned IP. Move that rule to the top. This will prevent port scanners from triggering the knock port. So now, in the RDP client, try to connect to port 3350 which will fail, but then try to connect to 3389. You have 60 seconds to create the connection. Once connected, it'll stay connected. If you disconnected after 60 seconds, you have to knock again.
- Use stunnel with client side certificates. And change the RDP port. A hacker can't hit RDP until they present a valid client side certificate.
- Use a VPN. SSTP will get around airport firewalls. SSTP performs well enough for RDP for me. L2TP/IPSec is compatible with Android, iOS and Windows.
- Changing port only is NOT good enough.
Some Options:
- Port Knock. Set a firewall rule that when you try to connect to port 3350 (or whatever), then add the source IP to an RDP_OK list with a timeout of 60 seconds. Only allow IPs on that list to access port 3389 (or even better, change that port). Next create another rule that says any TCP connection attempts to 3349 and 3351, put them on a BAN_LIST. Create another rule that says to drop all packets from a banned IP. Move that rule to the top. This will prevent port scanners from triggering the knock port. So now, in the RDP client, try to connect to port 3350 which will fail, but then try to connect to 3389. You have 60 seconds to create the connection. Once connected, it'll stay connected. If you disconnected after 60 seconds, you have to knock again.
- Use stunnel with client side certificates. And change the RDP port. A hacker can't hit RDP until they present a valid client side certificate.
- Use a VPN. SSTP will get around airport firewalls. SSTP performs well enough for RDP for me. L2TP/IPSec is compatible with Android, iOS and Windows.
- Changing port only is NOT good enough.
Re: Attempt of attacks through Remote Desktop [SOLVED]
Great, logical advice!!First ensure you have the latest updates to Win 7 or Win 10. Don't use older Operating Systems. Microsoft dropped the ball 3 times already where a hacker could send a specially crafted packet that would contain a command that would be executed under the System user. So without logging in, a hacker could add a user and promote it to an administrator. Then log in with that. Patches were released in May 2018. Since then, I've left a test VM exposed to the internet and so far it hasn't been hacked. But due to the disappointing track record, I would NOT trust RDP.
Some Options:
- Port Knock. Set a firewall rule that when you try to connect to port 3350 (or whatever), then add the source IP to an RDP_OK list with a timeout of 60 seconds. Only allow IPs on that list to access port 3389 (or even better, change that port). Next create another rule that says any TCP connection attempts to 3349 and 3351, put them on a BAN_LIST. Create another rule that says to drop all packets from a banned IP. Move that rule to the top. This will prevent port scanners from triggering the knock port. So now, in the RDP client, try to connect to port 3350 which will fail, but then try to connect to 3389. You have 60 seconds to create the connection. Once connected, it'll stay connected. If you disconnected after 60 seconds, you have to knock again.
- Use stunnel with client side certificates. And change the RDP port. A hacker can't hit RDP until they present a valid client side certificate.
- Use a VPN. SSTP will get around airport firewalls. SSTP performs well enough for RDP for me. L2TP/IPSec is compatible with Android, iOS and Windows.
- Changing port only is NOT good enough.
Who is online
Users browsing this forum: No registered users and 70 guests