RDP attacks
Hi All
I'm new and a novice for the most part - so apologies but need a steer. I have windows servers and have changed the RDP port from the standard 3389 to a different port (the sample below is using 3389). I have disable 3389 on the windows Firewall and created a rule for the new port which has restricted access to my IP address under scope firewall rule. I run RDP Guard which bans IP's after failed RDP.I have tested a RDP log in form and authorised IP and watched it on Wireshark and could see the TLS1.2 handshake and connection in progress as I would have expected. So after all that I see some attempts to connect to my new port (changed in sample below to normal port) from a BAD IP
128868 2020-10-25 09:22:53.034068 195.54.166.116 51.xx.xxx.xxx TCP 66 [TCP Retransmission] 56259 → 3389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
367363 2020-10-25 09:34:58.729097 195.54.166.112 51.xx.xxx.xxx TCP 62 [TCP Retransmission] 51067 → 3389 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
I have obfuscated my IP above and there has been no visible a reply from my side back to these IPs
So my questions are?
A. What does the wire shark string above actually mean?
B. I have the port restricted to just my own IP under firewall rule (scope) then should the foreign IP even be getting past the Firewall(FW) settings, I thought the FW would be blocking it before getting in and that I should not see it on Wireshark?
C. what else do you recommend to enforce my security ?
Thanks DW