Community discussions

MikroTik App
 
ntech2
just joined
Topic Author
Posts: 2
Joined: Sun Jan 06, 2019 1:09 pm
Location: Latvia

Noob firewall question - being brute forced

Sun Jan 06, 2019 1:22 pm

Hi,
I'm very new to routers and networking so sorry if this is trivial, but I can't figure it out.

We have a router running RouterOS v6.43.4.

There's a Windows server running RDP on the network, RDP is open to internet connections currently. On server log files I can see brute force logon attempts every second from foreign IP addresses.

To fix this I think I need to configure the firewall on the router.

Here is current firewall settings: https://i.imgur.com/xqyGAoE.png
The router should only allow 3 specific internet IPs and all local IPs from subnet 192.168.88.0/24 to connect to RDP. Block everything else.
What do I need to change to achieve this?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Noob firewall question - being brute forced

Mon Jan 07, 2019 11:35 pm

Well I would suggest using a service that blocks a lot of foreign crap from the getgo.
One of our fellow members has one that he protects his clients with and includes country blocking for example as but one of the prongs of defence.
Check it out......... (for the price of couple of cups of java a month its the best value you will find anywhere in IT)
viewtopic.php?t=137632

In the meantime,
In terms of port forwarding, I would imagine limited access from known external IPs to your Windows Server, should be doable.

Of course in your IP Firewall Filter Forward Chain you will need a rule to allow dstnat and assume you already have this.
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat

In your port forwarding rules which are found in IP Firewall NAT, be sure to apply source address to limit access to the server!

example A -single authorized external address, single WAN
add chain=dstnat action=dst-nat source-address=ALLOWED_EXTERNAL_INTERNET_IP protocol=rdp
in-interface=wan to-addresses=IP_of_local_windows_server to-ports=3389

Here normally one puts in a destination port but the protocol RDP expects it only to be 3389 and thus not required.
In fact you may not even need the to-ports as its implied by the RDP protocol. I put it there in case you have the ability to change the RDP port at the server and wish to do so. In any case it wont hurt.

example B -multiple external addresses, dual WAN
add chain=dstnat action=dst-nat source-address-Llst=Allowed_RDP_Access protocol=rdp
in-interface-list=wan to-addresses=IP_of_local_windows_server to-ports=3389

In this case you would need to make a firewall address list containing all the allowed external addresses.
add address=external_IP#1 list=Allowed_RDP_Access
add address=external_IP#2 list=Allowed_RDP_Access
etc.........
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Noob firewall question - being brute forced

Tue Jan 08, 2019 8:54 am

add chain=dstnat action=dst-nat source-address-Llst=Allowed_RDP_Access protocol=rdp in-interface-list=wan to-addresses=IP_of_local_windows_server to-ports=3389

That's not right. Service/application RDP (Remote Desktop Protocol) is using protocol=tcp ... protocol=rdp stands for Reliable Data Protocol.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Noob firewall question - being brute forced

Tue Jan 08, 2019 6:41 pm

Thanks MKX, I would expect nothing less, ie to be corrected when I err so egregiously :-)

I was wondering, when I entered in the available protocol "rdp" from the protocol list available on winbox, WHY the list of ports became greyed out?????

So is rdp an error and should not be on the list of protocols in winbox?
If so, then the op should select TCP and manually insert port 3389 as destination port??

Please advise.
 
tippenring
Member
Member
Posts: 304
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Noob firewall question - being brute forced

Tue Jan 08, 2019 7:57 pm

The above is good advice, but there is something more fundamentally wrong with your situation. That is a lack of information security awareness.

It's good that you managed to notice the brute force attempts to your RDP server. The bigger problem is that you, or whoever is responsible for the network, was not aware of the risks associated with exposing services to the internet. Of course you're getting brute forced.

How long has it been going on? Does an attacker on the internet already have access to your server? Because you'll still keep seeing brute force attempts even though attackers have already gained access to the RDP server. I'd strongly consider taking it offline and rebuilding it from scratch unless you can prove there has been no unauthorized access. By prove, I don't mean "reasonably conclude," but "prove that it didn't happen." And keep in mind that proving the server is not compromised will probably take more time than rebuilding the server.

How many exposed RDP servers are out there? Shodan shows almost 4 million. That's a lot of targets.

Is your router accessible from the internet? You should already know the answer to that. Do you have any other services exposed to the internet? You should also know that answer.

I know I'm not addressing your question. That's already been done. I just wanted to make you aware that network administration and infosec go hand-in-hand. Way too many people miss that.
 
ntech2
just joined
Topic Author
Posts: 2
Joined: Sun Jan 06, 2019 1:09 pm
Location: Latvia

Re: Noob firewall question - being brute forced

Wed Jan 09, 2019 1:00 am

@tippenring Yes I am aware of the security situation and informed the owners long ago. The brute force started about 2 weeks ago. I'm not administering or working there, just helping out. Did what I can to secure the server as much as possible but experience with networking and MikroTik is very limited unfortunately.

@anav Thanks for the detailed response. I don't want to mess with the firewall settings remotely, will be on site Sunday to try this out.

If I understand correctly these could be commands I'd need to use after adding all WAN addresses to a custom contacts list MyContactList?(I replaced RDP /w TCP as per @mkx comment and used 8.8.8.8 as server IP for this example)
add chain=dstnat action=dst-nat MyContactList=Allowed_TCP_Access protocol=TCP 
in-interface-list=wan to-addresses=8.8.8.8 to-ports=3389
Do I need to use the WinBox software to execute this or can I do it from the RouterOS command interface?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Noob firewall question - being brute forced

Wed Jan 09, 2019 2:40 am

Doing some research on this topic I found one post that I really agree with!!!
RDP on a publicly accessible port is spooky. I typically set people up with a VPN and then they can RDP to the local IP of the Windows machine. If the remote party has a DDNS updater app on their device you could port forward only allow trusted DDNS hostnames.

ntech I use winbox when creating a rule from scratch and the CLI interface when copying lots of rules over into the router, but thats just lazy me.
 
User avatar
karlisi
Member
Member
Posts: 433
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Noob firewall question - being brute forced

Thu Jan 10, 2019 10:04 am

If I understand correctly these could be commands I'd need to use after adding all WAN addresses to a custom contacts list MyContactList?(I replaced RDP /w TCP as per @mkx comment and used 8.8.8.8 as server IP for this example)

Do I need to use the WinBox software to execute this or can I do it from the RouterOS command interface?

Small correction:
add chain=dstnat action=dst-nat list=Allowed_TCP_Access protocol=tcp dst-port=3389
in-interface-list=wan to-addresses=8.8.8.8 to-ports=3389

You can do it from terminal or from Winbox. If You already have dst-nat rule for RDP, simply set this list in Advanced -> Src. Address List for this rule

Who is online

Users browsing this forum: holvoetn and 43 guests