Remote Desktop using non-standard ports - issues

Good Day.

This problem just started (well, noticed it last week, but may have been going on longer).

With the Sophos VPN running from a remote PC, I could RDP to several internal servers and a workstation or two. On most, using a non-standard protocol port # (say 41265 vice 3389). Have all the protocols defined, rules, etc. all done. And it had been working fine for quite a while. The servers and PC's are configured to use the nonstandard port (not doing a port translation to 3389)

Now, when I try through the VPN, it will try and connect - after putting in the logon account and password info, then gives an error message that "an internal error has occurred". As a test, I put in an incorrect password and it immediately tells me "the logon attempt has failed" - just what I would expect. So, it is getting through the authentication stage.

If I am physically on-site, and try RDP from a workstation on the same network, using the same non-standard RDP protocol, it works. So looks like the issue is not with the rdp on the boxes.

There is one PC and one server that are set to use the standard 3389, and through the VPN, they work.

I've gone back over all the rules, and found nothing amiss. Hadn't changed anything.

 

Any ideas? PC's are Win 10. Mix of server versions.

 

John S.

  • Forgot to mention the firewall is a SG330, running latest software.

  • Hey John,

    Do you learn anything from doing #1 in Rulz?

    Cheers - Bob

  • Got the same issue on SG135 , UTM 9.5 No solution so far Marco
  • same here. possible:

    - false positive caused by actual snort patterns (I assume this after reading your issue)

    - Hacker attack wave that raised some days ago searching for a vulnerbility in RDP servers

  • In reply to papa_:

    I was able to bypass the problem in Microsoft RDP Client, disabling "Use RD Gateway" in Advanced Settings

    Marco

  • In reply to jskain:

    I've been out of town, then got a cold. I saw some things in the logs. I'll copy them here. They didn't make any sense, but oh well.

  • In reply to BAlfson:

    Here is what the live monitoring shows when attempting:

     

    10.240.2.4 is the IP address assigned to my remote PC through the Sophos VPN client.

    The PC I'm trying to connect to is 192.168.1.200, using port 52000 as the RDP

    The firewall port is 192.168.1.3

    When I try and connect, I got a logon, and if I enter an incorrect password, it will say so. If I put in the correct password, get the warnings about do you recognize this PC, etc. etc.,, then get "an internal error has occurred". If I'm on site, I can RDP from another workstation using the 52000 port with no problems. And, as I said, this has worked for years, until recently. The remote PC and the destination PC are both Win 10.

     

    TCP  
    10.240.2.4 : 15216
     →
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:39 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:39 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

     

    09:55:40 Default DROP TCP  
    192.168.1.3 : 3961
     →
    192.168.21.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

    09:55:49 Packet filter rule #30 TCP  
    10.240.2.4 : 15220
     →
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
     

  • In reply to jskain:

    Check the IPS log, I have seen similar cases where it triggers a signature for non-standard RDP connections. 

  • In reply to jskain:

    John, alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the lines corresponding to those above.

    Cheers - Bob

  • In reply to papa_:

    I monitored my logs for a while now.

     

    Seems, many people run public RDP servers on tcp/443 (to avoid restrictions in Hotel and guest networks).

    This is noticed by attackers in China and Russia and the well known attack sources try to find RDP servers like this

  • I tried again today, after updating to version 9.601-5 last night.

    The IPS log shows something interesting.

    The firewall log doesn't seem to show anything different than live log.

     

     

    10.240.2.4 is the IP address assigned to my remote PC through the Sophos VPN client.

    The PC I'm trying to connect to is 192.168.1.200, using port 52000 as the RDP

    The firewall port is 192.168.1.3
     Firewall external IP is 86.5.5.10

    (the IP's have been changed to protect the innocent)

        IPS Log

    2019:03:08-08:59:31 86.5.5.10 snort[5362]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt" group="110" srcip="10.240.2.4" dstip="192.168.1.200" proto="6" srcport="16360" dstport="52000" sid="49040" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"


         Firewall Log

    08:59:22 Packet filter rule #30 TCP   
    10.240.2.4 : 16356
    → 
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:22 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:22 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:22 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:23 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:26 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:30 Default DROP TCP   
    192.168.1.3 : 15220
    → 
    192.168.1.200 : 52000
      
    [RST] len=40 ttl=64 tos=0x00 srcmac=00:1a:8c:5f:4c:fc
    08:59:31 Packet filter rule #30 TCP   
    10.240.2.4 : 16360
    → 
    192.168.1.200 : 52000
      
    [SYN] len=52 ttl=127 tos=0x00 srcmac=00:1a:8c:5f:4c:fc

  • In reply to jskain:

    As I suspected, you will have to make an exception for that signature or that port and destination. 

  • In reply to jskain:

    Thanks all. It was the Intrusion Prevention. I put in an exception to skip Intrusion Prevention for all requests going to the internal PC's IP address and using the non-standard RDP tcp port.

    Just tried through the VPN and kicked right in.