02-23-2012 08:48 AM - edited 03-10-2019 05:37 AM
Hi guys,
I'm looking to see if anyone has any information to block repeated failed RDP requests using an IPS module in my Cisco ASA 5520. I've reviewed the article at https://supportforums.cisco.com/thread/2102624 and followed the steps.
It seems like the IPS is getting "some" but not all the attempts. Ill get notifications that x.x ip address was blocked on this signature, yet other servers repeatedly get pounded with bad RDP requests.
Anyone have a sure fire way to have the IPS inspect all traffic for bad RDP requests?
Thanks!
02-28-2012 12:58 PM
Better enable IP verify reverse -path in to your ASA the it will allow only allowed hosts
Regards
Rajeswar
03-20-2012 10:48 AM
I'm seeing the same results you are, I'm getting some but not all of the attacks. I think there are different methods of the attack and we are seeing only 1. My next step is to try and capture some of the attack while it's happening, then go through that and see what I can find for a flag. I'll update the article when I have some progress. Or private message me and I'll let you know if I find anything.
Erick
04-08-2012 11:05 PM
Unfortunately, I purchased the SSC-5 which doesn't support custom signatures. Then a glimmer of hope when I saw the signature for the RDP Morto worm. But it is not picking up the failed 'Support' logons even when it is set to 3 (from 37). I watch them come in on my OSSEC email alerts but no actions are taken on the IPS.
It would be really GREAT if there was a signature for a number of successive Failed RDP attempts in the signature database. The SSC-5 is nice, but it wasn't until post-install that I found out custom signatures were disabled. And the Morto worm is not being detected either...
Right now, I setup a powershell script that monitors the event logs of my Terminal Server for failed logons. After a configurable number of failed attempts, it telnets to the ASA and shuns the address. It's crude and ugly, but it works.
12-13-2016 01:04 PM
My apologies for resurrecting this very old thread, but, I, too, am looking for a way to block IPs attempting brute force RDP requests. Brent, if you're still around, could you provide some additional detail regarding the 'crude and ugly' powershell script you created?
I'd attempt to contact you via PM, but I can't seem to find that feature.
12-13-2016 01:15 PM
I don't see that feature either Scott. I still have the powershell script, and it's still ugly. I wouldn't recommend it.. .and I've moved beyond that now personally and professionally. If you really needed it, I could pass it along to you.
Hit me up via g mail using the prefix brent.morris - maybe I can help more?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide