# Revision history [back]

### RDP attacks

Hi All

I'm new and a novice for the most part - so apologies but need a steer. I have windows servers and have changed the RDP port from the standard 3389 to a different port (the sample below is using 3389). I have disable 3389 on the windows Firewall and created a rule for the new port which has restricted access to my IP address under scope firewall rule. I run RDP Guard which bans IP's after failed RDP.I have tested a RDP log in form and authorised IP and watched it on Wireshark and could see the TLS1.2 handshake and connection in progress as I would have expected. So after all that I see some attempts to connect to my new port (changed in sample below to normal port) from a BAD IP

128868 2020-10-25 09:22:53.034068 195.54.166.116 51.xx.xxx.xxx TCP 66 [TCP Retransmission] 56259 → 3389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

367363 2020-10-25 09:34:58.729097 195.54.166.112 51.xx.xxx.xxx TCP 62 [TCP Retransmission] 51067 → 3389 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

I have obfuscated my IP above and there has been no visible a reply from my side back to these IPs

So my questions are? 1. What does the wire shark string above actually mean?

1. I have the port restricted to just my own IP under firewall rule (scope) then should the wireshark even be getting past the FW, I thought the FW would be blocking it before getting in?

2. what else do you recommend to enforce my security ?

Thanks DW

### RDP attacks

Hi All

I'm new and a novice for the most part - so apologies but need a steer. I have windows servers and have changed the RDP port from the standard 3389 to a different port (the sample below is using 3389). I have disable 3389 on the windows Firewall and created a rule for the new port which has restricted access to my IP address under scope firewall rule. I run RDP Guard which bans IP's after failed RDP.I have tested a RDP log in form and authorised IP and watched it on Wireshark and could see the TLS1.2 handshake and connection in progress as I would have expected. So after all that I see some attempts to connect to my new port (changed in sample below to normal port) from a BAD IP

128868 2020-10-25 09:22:53.034068 195.54.166.116 51.xx.xxx.xxx TCP 66 [TCP Retransmission] 56259 → 3389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

367363 2020-10-25 09:34:58.729097 195.54.166.112 51.xx.xxx.xxx TCP 62 [TCP Retransmission] 51067 → 3389 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

I have obfuscated my IP above and there has been no visible a reply from my side back to these IPs

So my questions are? 1. are?

A. What does the wire shark string above actually mean?

1. B. I have the port restricted to just my own IP under firewall rule (scope) then should the wireshark even be getting past the FW, I thought the FW would be blocking it before getting in?

2. C. what else do you recommend to enforce my security ?

Thanks DW

### RDP attacks

Hi All

I'm new and a novice for the most part - so apologies but need a steer. I have windows servers and have changed the RDP port from the standard 3389 to a different port (the sample below is using 3389). I have disable 3389 on the windows Firewall and created a rule for the new port which has restricted access to my IP address under scope firewall rule. I run RDP Guard which bans IP's after failed RDP.I have tested a RDP log in form and authorised IP and watched it on Wireshark and could see the TLS1.2 handshake and connection in progress as I would have expected. So after all that I see some attempts to connect to my new port (changed in sample below to normal port) from a BAD IP

128868 2020-10-25 09:22:53.034068 195.54.166.116 51.xx.xxx.xxx TCP 66 [TCP Retransmission] 56259 → 3389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

367363 2020-10-25 09:34:58.729097 195.54.166.112 51.xx.xxx.xxx TCP 62 [TCP Retransmission] 51067 → 3389 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1

I have obfuscated my IP above and there has been no visible a reply from my side back to these IPs

So my questions are?

A. What does the wire shark string above actually mean?

B. I have the port restricted to just my own IP under firewall rule (scope) then should the wireshark foreign IP even be getting past the FW, Firewall(FW) settings, I thought the FW would be blocking it before getting in?in and that I should not see it on Wireshark?

C. what else do you recommend to enforce my security ?

Thanks DW

 4 None grahamb 23193 ●4 ●712 ●225 https://www.wireshark.org

### RDP attacks

Hi All

I'm new and a novice for the most part - so apologies but need a steer. I have windows servers and have changed the RDP port from the standard 3389 to a different port (the sample below is using 3389). I have disable 3389 on the windows Firewall and created a rule for the new port which has restricted access to my IP address under scope firewall rule. I run RDP Guard which bans IP's after failed RDP.I have tested a RDP log in form and authorised IP and watched it on Wireshark and could see the TLS1.2 handshake and connection in progress as I would have expected. So after all that I see some attempts to connect to my new port (changed in sample below to normal port) from a BAD IP

128868  2020-10-25 09:22:53.034068  195.54.166.116  51.xx.xxx.xxx   TCP 66  [TCP Retransmission] 56259 → 3389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1 SACK_PERM=1

367363  2020-10-25 09:34:58.729097  195.54.166.112  51.xx.xxx.xxx   TCP 62  [TCP Retransmission] 51067 → 3389 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1SACK_PERM=1


I have obfuscated my IP above and there has been no visible a reply from my side back to these IPs

So my questions are?

A. What does the wire shark string above actually mean?

B. I have the port restricted to just my own IP under firewall rule (scope) then should the foreign IP even be getting past the Firewall(FW) settings, I thought the FW would be blocking it before getting in and that I should not see it on Wireshark?

C. what else do you recommend to enforce my security ?

Thanks DW