cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6287
Views
0
Helpful
11
Replies
nyein chan tun
Beginner

How to prevent Brute force attack to RDP server in Cisco ASA5520

Dear all expert,

Please advise me how to prevent brute force attack to local RDP server in  cisco ASA5520. Attack source IP are dynamic IP.  Do I need to create acl ? how can I configure for that ? Please advise me asap, because I got a lot of attack.

Thanks all

11 REPLIES 11
Shrikant Sundaresh
Cisco Employee

An access-list would only be useful, if only particular ip addresses are trying the brute force attack;

OR, if only particular subnets are allowed to connect to the RDP server.

That way you can deny those particular ip's, or allow only the allowed subnets, respectively.

But I doubt either would be the case.

Are attackers trying to guess passwords to remote desktops? Hack into the server?

A bit more detail on the nature of the attack, might help in coming up with a solution.

-Shrikant

Should I use " shun " instead of access list ?

Thanks

As an alternative you can also look at configuring connection limits where you can set the maximum number of simultaneous TCP and/or UDP connections that are allowed. See below a reference guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html

Please remember to rate all posts that are helpful.

nyein chan tun
Beginner

Attackers are attack from different locations with different IP within 10 mins to try access

to RDP server which are open RDP with public IP .

So I can't use accesslist to block attacker's IP. within 1 days they use serveral IP from any where, after block accesslist to them, next time come out.

What should I do to prevent it? Do I need to upgrade hardware module ? Any Idea to change dynamic port for RDP server?

I need to open RDP for internal server to access our branch to HQ. And if we use VPN, connections was too slow and no choice to use RDP.

Thanks for all your suggestions.

Hi,

You mentioned that you need to open RDP to the internal server, so the HQ can access your branch site.

Why not use an access-list to limit only the HQ public ip addresses to acces your RDP server?

That way others from the internet will have no access, and cannot do a brute force attack.

-Shrikant

Thanks Shrikant,

            your suggestion is useful. But some of our users are moblie and need to access RDP from anywhere to HQ. So How should I do for that ? They don't want to use of VPN bcoz of speed so slow. So I need to give permit to dynamic IP, maybe If I change RDP port to some number, attacker can still send brute force attack to my RDP ? What should I do ?

Thanks,

Chan

Changing to a different outside port would help, since the attackers (hopefully) won't be able to figure out (easily) the random port you choose.

The ASA would drop all connections to the old port, since it will no longer be allowed in the outside access-list.

Let me know if it helps.

-Shrikant

To figure out the new random port, the attackers would have to scan all the ports to figure out which one is open.

So configuring scanning threat-detection along with changing the port will also help.

threat-detection scanning-threat shun duration 86400   (causes any ip caught scanning to be shunned for 1 day)

threat-detection rate scanning-threat rate-interval X average-rate Y burst-rate Z

X(seconds) = time over which to calculate Y. Z is calculated over X/30.

Y(pkts/sec) = average drop rate of scan packets over X seconds

Z(pkts/sec) = average drop rate of scan packets over X/30 seconds

So if an IP address causes packet drops in excess of Y or Z in their respective time durations, it would be shunned for a day. The shun duration can be set between 10 and 2592000 seconds.

-Shrikant

Thanks Shrikant,

            I configure random port for RDP and it's seem prevent to brute force. I will configure threat detection on ASA5200.

Thanks a lot your valuable advise.

Chan

Hi Chan,

Great to know that the brute force attack has stopped. The scanning threat detection should prevent it from coming up again anytime soon.

-Shrikant

P.S.: Please mark the thread resolved, if you feel that the question has been anwered satisfactorily. Do rate helpful posts.

Joseph Tolbert
Beginner

Why not remove the Public RDP access, and let the users connect via VPN, and restrict their protocols to RDP only to the destination servers?  This accomplishes several things.

1) removes the risk of internet rdp attacks

2) secures the communication during transport

3) only specified users, instead of subnets, have access

 

This is standard practice for all of our users where I work.  IP access via VPN is rare, most often we only allow RDP via VPN.  This protects us from infected home users when they vpn to work.

 

Rob