Ask Your Question
0

RDP attacks

asked 2020-10-25 11:02:28 +0000

Deliaware gravatar image

updated 2020-10-25 12:39:32 +0000

grahamb gravatar image

Hi All

I'm new and a novice for the most part - so apologies but need a steer. I have windows servers and have changed the RDP port from the standard 3389 to a different port (the sample below is using 3389). I have disable 3389 on the windows Firewall and created a rule for the new port which has restricted access to my IP address under scope firewall rule. I run RDP Guard which bans IP's after failed RDP.I have tested a RDP log in form and authorised IP and watched it on Wireshark and could see the TLS1.2 handshake and connection in progress as I would have expected. So after all that I see some attempts to connect to my new port (changed in sample below to normal port) from a BAD IP 

128868  2020-10-25 09:22:53.034068  195.54.166.116  51.xx.xxx.xxx   TCP 66  [TCP Retransmission] 56259 → 3389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

367363  2020-10-25 09:34:58.729097  195.54.166.112  51.xx.xxx.xxx   TCP 62  [TCP Retransmission] 51067 → 3389 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

I have obfuscated my IP above and there has been no visible a reply from my side back to these IPs

So my questions are?

A. What does the wire shark string above actually mean?

B. I have the port restricted to just my own IP under firewall rule (scope) then should the foreign IP even be getting past the Firewall(FW) settings, I thought the FW would be blocking it before getting in and that I should not see it on Wireshark?

C. what else do you recommend to enforce my security ?

Thanks DW

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2020-10-25 12:49:09 +0000

grahamb gravatar image
  1. The packets shown are retransmissions of TCP connection attempts (the SYN flag is set) from external IPs 195.54.166.116 and 195.54.166.112 to the port 3389 on the local host.
  2. I'm assuming you're capturing on the host itself, different firewalls act at different points in the stack which may or may not be before the packet is captured by the capture library (usually npcap on Windows). Do you have any evidence that the firewall isn't doing it's job? Look at whatever firewall logs are available. A firewall may silently drop the incoming packet or send a TCP RST to close the connection, but there shouldn't be any TCP SYN+ACK response.
  3. Don't expose RDP to the internet. Require incoming connections to be via VPN.
edit flag offensive delete link more

Comments

  1. I think the firewall is working but get a bit paranoid when I see something odd especially from IP that are listed abuse IP's. Yes using NPCAP. The only reference I have is similar to what I posted above, there are several attempts from various IP's with exact same format. Its just Windows Firewall been used, do you think that Wireshark Npcap is capturing before the FW

Thanks for your reply and help

Deliaware gravatar imageDeliaware ( 2020-10-25 12:55:52 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-10-25 11:02:28 +0000

Seen: 1,041 times

Last updated: Oct 25 '20

Related questions

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Localhost capturing

Why is the MSS not the same?

Port Unreachable

Help with a TCP Reset Issue

SCCP on tcp port 2005 ?

How are FTP ports decided ?

I cannot enter a filter for tcp port 61883. What is so special about this number?

How to determine which processes are sending CLDAP Protocol to DST Port 389

firewall modifies packet?