Community discussions

MikroTik App
 
ronylove
newbie
Topic Author
Posts: 27
Joined: Fri Aug 10, 2018 6:33 pm

Attempt of attacks through Remote Desktop

Thu Mar 21, 2019 12:02 am

Dear:
Through this, request an immense collaboration.
I have 1 Rb 1100AHx2 with v. 6.44.1
- I made a NAT to port 3389 (Remote Desktop) to be able to access a computer from my local network.
- Checking the LOG, I detect that I am receiving enough attempts to access my computer through that port.
- I have already changed it, but I still receive attack attempts.

How could I protect myself from that?
I hope your help and help please.
Thank you

Attached image
You do not have the required permissions to view the files attached to this post.
 
BRMateus2
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Thu Oct 26, 2017 11:18 pm

Re: Attempt of attacks through Remote Desktop

Thu Mar 21, 2019 10:20 pm

You can protect from that by not enabling RDP from the Internet. Basic security.

Those attempts are botnets, and Windows RDP is full of vulnerabilities, it will never be secure.
 
freemannnn
Long time Member
Long time Member
Posts: 683
Joined: Sun Oct 13, 2013 7:29 pm

Re: Attempt of attacks through Remote Desktop

Thu Mar 21, 2019 11:08 pm

you can use firewall address list to allow rdp only for specific incoming ip's.

or

https://wiki.mikrotik.com/wiki/Brutefor ... prevention
 
DummyPLUG
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Wed Jan 03, 2018 10:17 am

Re: Attempt of attacks through Remote Desktop

Fri Mar 22, 2019 12:57 am

If the computer you are using to connect to RD is using dynamic IP you can setup a ddns for it and only allow it to connect using address list
 
anav
Forum Guru
Forum Guru
Posts: 4674
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Attempt of attacks through Remote Desktop

Fri Mar 22, 2019 1:29 am

As indicated one thing that one can do is only allowed known source WANIPs that want to connect on that port.
If you are connecting from a fixed place with a static IP that may be possible.
The other thing you can do is do port translation. In the example below you set the RDP port to 38910 on the client side


In other words
Change your IP NAT Rule from
add action=dstnat chain=dst-nat in-interface=eth1WAn dst=port=3389 \
protocol=TCP to=address=RDP_local_IP
TO
add action=dstnat chain=dst-nat in-interface=eth1WAn dst=port=38910 \
protocol=TCP to=address=RDP_local_IP to-ports=3389
I think thus in your remote desktop connection you would put under address
YourWANIP:38910

A step up in security would be to look up port knocking in the forum search for a method to gain access to the router and in this case the server based on a few hard to copy steps............
Finally the proper way to do security is to VPN into the router (to the LAN) and then RDP to your server.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Van9018
Long time Member
Long time Member
Posts: 519
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Attempt of attacks through Remote Desktop

Fri Mar 22, 2019 1:37 am

First ensure you have the latest updates to Win 7 or Win 10. Don't use older Operating Systems. Microsoft dropped the ball 3 times already where a hacker could send a specially crafted packet that would contain a command that would be executed under the System user. So without logging in, a hacker could add a user and promote it to an administrator. Then log in with that. Patches were released in May 2018. Since then, I've left a test VM exposed to the internet and so far it hasn't been hacked. But due to the disappointing track record, I would NOT trust RDP.

Some Options:
- Port Knock. Set a firewall rule that when you try to connect to port 3350 (or whatever), then add the source IP to an RDP_OK list with a timeout of 60 seconds. Only allow IPs on that list to access port 3389 (or even better, change that port). Next create another rule that says any TCP connection attempts to 3349 and 3351, put them on a BAN_LIST. Create another rule that says to drop all packets from a banned IP. Move that rule to the top. This will prevent port scanners from triggering the knock port. So now, in the RDP client, try to connect to port 3350 which will fail, but then try to connect to 3389. You have 60 seconds to create the connection. Once connected, it'll stay connected. If you disconnected after 60 seconds, you have to knock again.

- Use stunnel with client side certificates. And change the RDP port. A hacker can't hit RDP until they present a valid client side certificate.

- Use a VPN. SSTP will get around airport firewalls. SSTP performs well enough for RDP for me. L2TP/IPSec is compatible with Android, iOS and Windows.

- Changing port only is NOT good enough.
 
anav
Forum Guru
Forum Guru
Posts: 4674
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Attempt of attacks through Remote Desktop  [SOLVED]

Fri Mar 22, 2019 2:38 am

First ensure you have the latest updates to Win 7 or Win 10. Don't use older Operating Systems. Microsoft dropped the ball 3 times already where a hacker could send a specially crafted packet that would contain a command that would be executed under the System user. So without logging in, a hacker could add a user and promote it to an administrator. Then log in with that. Patches were released in May 2018. Since then, I've left a test VM exposed to the internet and so far it hasn't been hacked. But due to the disappointing track record, I would NOT trust RDP.

Some Options:
- Port Knock. Set a firewall rule that when you try to connect to port 3350 (or whatever), then add the source IP to an RDP_OK list with a timeout of 60 seconds. Only allow IPs on that list to access port 3389 (or even better, change that port). Next create another rule that says any TCP connection attempts to 3349 and 3351, put them on a BAN_LIST. Create another rule that says to drop all packets from a banned IP. Move that rule to the top. This will prevent port scanners from triggering the knock port. So now, in the RDP client, try to connect to port 3350 which will fail, but then try to connect to 3389. You have 60 seconds to create the connection. Once connected, it'll stay connected. If you disconnected after 60 seconds, you have to knock again.

- Use stunnel with client side certificates. And change the RDP port. A hacker can't hit RDP until they present a valid client side certificate.

- Use a VPN. SSTP will get around airport firewalls. SSTP performs well enough for RDP for me. L2TP/IPSec is compatible with Android, iOS and Windows.

- Changing port only is NOT good enough.
Great, logical advice!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: meazz1, Onigma and 122 guests