topic limit access to remote desktop to a range of outside IP's in Network Security

limit access to remote desktop to a range of outside IP's

byterbites — Tue, 12 Mar 2019 00:44:42 GMT

After getting hacked I want to limit terminal server/ remote desktop to only my computer. (although I may need to let other net in later)

In other words I want only computers from my home ip range (lets say my ISP gives me at home something in 28.28.XX.0) to be let in to the router at work and then to port 3389.

In the work ASA 5505 softwareVersion 7.2(4) I now have:

access-list outside_in extended permit tcp any interface outside eq 3389

static (inside, outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255

acces-group outside_in in interface outside

Can you help me with the syntax ? (I've spent hours reading on line help and cant get it clear)

Many thanks !

limit access to remote desktop to a range of outside IP's

Jouni Forss — Wed, 09 Jan 2013 00:23:28 GMT

Hi,

If you want to allow RDP (TCP/3389) connections only from certain source IP addresses (your home address) then you just configure another ACL rule

access-list outside_in extended permit tcp host 28.28.28.28 interface outside eq 3389

access-list outside_in extended permit tcp 28.28.28.0 255.255.255.0 interface outside eq 3389

The format really depends on if you have a static public IP address at home or always address from some pool.

Was there anything else you needed to configure/change on the ASA?

Please rate if the information was helpfull and/or ask more questions

- Jouni

limit access to remote desktop to a range of outside IP's

byterbites — Wed, 09 Jan 2013 01:16:05 GMT

Thanks ! Very kind of you. Looks to be working(at least I can still get in); I’ll try from another location tomorrow and hope it fails.

Is this the best method to stop these attacks ? I thought of changing the port, but a port scan just takes minutes and then they’d be back at it. I do like to get in from other locations and now of course I cant.

Two other questions come to mind:

Can you tell me how to delete the ssh user name of “pix” ? It seems silly to leave that there even with a complex password behind it.

And while I’m taking advantage of your kindness ; I assume if I wanted to create what looks like an open port or two that goes nowhere (I’m annoyed at these people) I need a static (pointing to no real inside machine) and a corresponding access-list entry ?

Re: limit access to remote desktop to a range of outside IP's

Jouni Forss — Wed, 09 Jan 2013 01:32:45 GMT

Hi,

The usual approach to securing the terminal computer is ofcourse a mix of configuring the ACL rules as tight and specific as possible. Also it naturally requires the the actual terminal computer is secured with latest updates and local firewall/etc software.

One option would be that you dont allow any connections directly from the Internet BUT configure a VPN Client connection to your firewall. This way you will first need to initiate a secure VPN Client connection to the firewall and only then you will be able to connect to the terminal computer behind the firewall. This way you would need to allow any connections from the Internet through the firewall. Atleast for the RDP connections

I guess with the PIX username you mean the default username of the PIX/ASA firewalls?

One option would be to configure local usernames/passwords and then enable the PIX to use the local AAA information for login. (Meaning the username/passwords you just created.

I'm not sure if the configuration format has changed at all but to my knowledge it would be the following

username admin password privilege 15

aaa authentication ssh console LOCAL

Naturally the SSH needs to be allowed from the correct source networks (using random example network)

ssh 28.28.28.0 255.255.255.0 outside

ssh version 2

ssh timeout 30

Or something similiar

These should make it so that when you next connect to the PIX with SSH, then the only login information accepted would be the username/password you just configured. Both the username and passwords can be anything you want.

If something would go wrong (misstyped passwords while configuring that you cant then get right), be sure to keep the original SSH management connection open to delete the AAA configurations if you cant get in anymore with new SSH connections while testing.

Regarding the ports. I dont think there is any point in configuring anything like that. Rather keep the rules for the "outside" interface and tight as possible.

I don't mind answering questions. Please do rate any helpfull information. Though now got to go sleep. over 3AM here

- Jouni