add succesfully connected rdp to whitelist

Damago1 · Wed Jan 10, 2024 9:31 pm

I would like to add succesfully connected rdp connections to whitelist. And I have no clue how to detect if the connection is succesfully established or it is just another brute force attempt.

I was trying something like":

chain=forward action=add-src-to-address-list connection-state=established protocol=tcp
address-list=rdp_whitelist address-list-timeout=5h in-interface-list=WAN dst-port=3389 log=no log-prefix=""

but brute force attackers also are being added to this list. Because the TCP connection is established before login. Maybe I should detect connections that are established for more than 5 minutes or so (we can presume that the login was succesfull) but I do not know how.

DenSyo77 · Thu Jan 11, 2024 5:30 am

You can start writing a script with the following command on the server, executed when the user login the session, replace 3389 with your port number

netstat -aon | findstr ESTAB  | findstr 3389 >>\\ShareFolder\connections.txt

https://www.howtonetworking.com/RemoteAccess/ts19.htm
Check if the file is being created and if it contains external client addresses. Next, you can write a script on MikroTik parsing this file on a schedule or a script for Windows working with MikroTik via API - this way looks preferable.

Damago1 · Fri Jan 12, 2024 10:57 am

I was trying to do something mikrotik only. Without adding complexity and another scripts to servers which would add another thing to maintain etc. My latest attempt is to try to guess by amount of traffic:

/ip firewall filter
add action=add-src-to-address-list address-list=rdp_whitelist \
    address-list-timeout=1d chain=forward comment=\
    "add established RDP to whitelist" connection-bytes=100000-0 \
    connection-state=established dst-port=3389 in-interface-list=WAN protocol=\
    tcp

but it seams like there are some brute force attackers which do exceed the 100k limit and get whitelisted. I was thinking if there is any way to check the lifetime of the connection (the attacks are short lived connections while legitimate sessions last longer) but I could not find any filter based on connection age.

DenSyo77 · Fri Jan 12, 2024 1:58 pm

Theoretically, it is possible to try to analyze the ratio of input and forward packets to the RDP port for each address, but there is no certainty that this will give anything. Such a task will greatly load the gateway, so it’s better to think about using a script on Windows, this will guarantee the validity of the data.

Interesting solution, works as a service
https://github.com/devnulli/EvlWatcher

PowerShell solution
https://woshub.com/block-rdp-brute-forc ... all-rules/

There is no need to synchronize the rules with the gateway.

DenSyo77 · Sun Jan 14, 2024 1:57 pm

Sorry, Damago1, shouldn't have gotten carried away with theories. When overcame laziness and looked at what was happening with rdp-connections in real, found an idea, suggest check it and create a script based on it. Replace the dst-address and port with yours and run this script when you are under attack. Tell me, is it possible to conclude that the attackers have negative values? Idle sessions can also have a negative value, this is not a problem, until this point the user's address should be white-list.

:local list [:toarray ""]
:local rdpConn [/ip firewall connection print detail as-value where dst-address="192.168.88.77:3389" and !(src-address~"192.168.88.")]
:foreach conn in=$rdpConn do={
  :local src [:pick ($conn->"src-address") 0 [:find ($conn->"src-address") ":"]]
  :local rate [:tonum ($conn->"orig-rate")]
  :if ([:typeof ($list->$src)] = "nil") do={
    :set ($list->$src) $rate
  } else={
    :if (($list->$src) <= 0 && $rate = 0) do={
      :set ($list->$src) (($list->$src) - 1)
    } else={
      :set ($list->$src) (($list->$src) + $rate)
    }
  }
}

:put $list

jvanhambelgium · Sun Jan 14, 2024 2:44 pm

>I would like to add succesfully connected rdp connections to whitelist. And I have no clue how to detect if the connection is succesfully established or it is >just another brute force attempt.

If it was a brute-force you would also see multiple times a new SYN arriving I think? You cannot keep trying forever in the authentication phase for a single attempt. It will disconnect and tear down the tcp-session I think.

So you can also follow the logic that IF you see a new inbound session-setup for RDP more then 1x that might already be fishy....

But all in all these "methods" of detecting a good vs brute-force RDP-session attempt seems something you should not handle at Mikrotik level but perhaps as mentioned with interfacing with the server & through API.

DenSyo77 · Mon Jan 15, 2024 2:42 am

Yes, in normal conditions there are always two sessions from one address - tcp and udp. But I wouldn’t rely on this, what if everyone from one RDP server sits on another RDP server and they are happy with it?.. The idea is to ban exactly those who generate many sessions with zero orig-rate. If there is a session with a non-zero orig-rate, we place the address in the white-list and exclude it from checks. The solution is applicable not only to RDP, which is why was interested.

add succesfully connected rdp to whitelist

add succesfully connected rdp to whitelist

Re: add succesfully connected rdp to whitelist

Re: add succesfully connected rdp to whitelist

Re: add succesfully connected rdp to whitelist

Re: add succesfully connected rdp to whitelist

Re: add succesfully connected rdp to whitelist

Re: add succesfully connected rdp to whitelist

Who is online