This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention alert: MS Windows RDP over non-standard port attempt

Hi guys,

I got three mails from my UTM with this content:

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt
Details........: www.snort.org/search?query=49040
Time...........: 2019-09-13 13:30:36
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: 45.136.108.25
Source port: 836
Destination IP address: Internal_address_of_my_server
Destination port: 9901

The first attack from the same source IP (iptracker.org says, it's a German IP, but nothing else) was against port 80 on another server facing the internet (but not on port 80). The second attack was against port 9901 on a second server (see above) and the third one was on destination port 5060 (SIP Port) on one of my Wifi routers, which is also responsible for our landline phone. I looked up on the link, which is given in the mail and found this:

An attacker can get access to several devices using a compromised Windows computer that is located behind a Firewall that allows RDP access (configured previously by the Firewall administrator) to that computer. The attacker can force the victim computer to forward RDP requests to other internal computers or servers in an attempt to move laterally inside the victim network.

Now I'm asking if there is some sort of vulnerability in my firewall and if the attacker is able to specifically attack my servers facing the internet, why and how he got that information.

To be more clear, I'm asking if this only a notification, that the firewall blocked this attack or if I have a vulnerability considering this type of attack.

BTW, the attacked servers are non-Windows machines, I have no Windows RDP on any of my Windows machines. And of course not for remote access.

Since the attacks came from one single IP, I followed this "tutorial" to set up DNAT to a blackhole and a firewall rule to block everything from specific IPs:
community.sophos.com/.../utm-9-block-specific-ip

Port 3389 is of course not open in the firewall.

Is there anything else, I can do?

Thank you very much for your help!

Flo



This thread was automatically locked due to age.
  • You can simply change the Port and use RDP for those ports. 

    RDP is the protocol and not bind to any kind of Port. Default Port is 3389, but actually you can simply use other Ports. 

    So attacker might use a Port scanner and try to find open Ports, open Ports will be used for attempting RDP attacks. 

    As you know, RDP is highly vulnerable, so it would be attractive to attack, if open. Most of those forum post are older, so "pre RDP issue".

    https://nakedsecurity.sophos.com/2019/07/01/rdp-bluekeep-exploit-shows-why-you-really-really-need-to-patch/ 

    https://security.stackexchange.com/questions/90175/detecting-rdp-on-non-standard-ports

    It is simple math. If you check for other ports, you might find a open RDP port and can abuse it. 

    https://serverfault.com/questions/12005/what-port-should-i-open-to-allow-remote-desktop

    __________________________________________________________________________________________________________________

  • Thank you for your answer Lucar Toni.

    I don‘t want to use RDP, I have no ports open for RDP and I haven‘t set it up ony any of the machines in my network. I also restricted the access to my devices to my LAN and my VPN network, so if everything else failed, this should be my last layer of security, right?

    Is there anything else I can do additionally to blacklisting the source IP?

  • Hallo Maginos and welcome to the UTM Community!

    That's a pretty broad question - I think an experienced UTM configurer could poke around in your configuration and make some more suggestions than what I'll make here.

    To the extent that your Internet-facing servers are webservers, you will want to use Webserver Protection instead of DNATs.  See #2 in Rulz (last updated 2019-04-17) to understand that your blackhole DNAT will still take precedence over Webserver Protection.

    If you must use DNATs, but there are only a limited number of public IPs allowed to reach them,  Create a NoNAT rule for those IPs and follow it with a DNAT that blackholes all traffic from the Internet.

    If access is only for internal users when they're out of the office, have them access via SSL VPN Remote Access.

    If the access is only for a few contractors that need occasional access, consider the HTML5 VPN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    I'm glad you answered. I hoped that at least the god of Sophos software replies to my question, if no one else can help me. :D

    My opened Ports are not only for Webservers, but also for Synology DSM, Calendar, VPN and of course SIP and telephone Ports. I already use Webserver Protection for the Public Webserver, where my weather station is on and which I share with all the people of my village. My problem with the Webserver Protection is, that I have to get a certificate which is afaik only valid for one public IP. So when I restart the UTM, I get a new public IP, but unfortunately the certificate doesn't change the IP, so I have to get a new one. Unfortunately I had to restart the UTM a few times in the last week, so I didn't update the certificate for the Webserver Protection... Is there any way to update the certificates IP automatically. And do you think I should also set up Webserver Protection for DSM and Photo Station (which is also a Webserver)? I'm very new to this stuff, so I'm not that familiar with it. I don't have a static public IP and I don't want to pay an additional additional fee for getting a static IPv4 (for getting a public IPv4 we have to pay an extra fee.).

     

    I need DNATs, because we don't want to use VPN from outside everytime we want to connect to the Diskstations. Right now, I use VPN mostly for SSH access to my internal servers, so that I don't have to open SSH ports in the firewall.

    Basically everyone is allowed to access my public webserver with the weather station, for all other services only my dad, my uncle, my dance partner and me are allowed to use them with all of our devices. So I don't have control over their public IPs.

    As I said, right now, I use SSL VPN mostly for SSH connections to my Linux servers, but I hope, I can finish my projects soon and don't need it very often in the future. :D And of course we use SSL VPN in hotels, where firewall rules for outgoing connections are not that restrictive (Port 443 is already blocked by the Webserver, I think you know the struggle. ;))

    I think, I will have a look at HTML5 VPN.

    Hope everything becomes more clean now, if not, please tell me. ;)

     

    Cheers 
    Flo

  • A weather station for your Dorf? - Tolle Idee, Flo !

    If you use one of the free dynamic DNS services, you can make the certificate for an FQDN instead of a numeric IP and your village can use that instead of a fixed IP.

    I use FreeDNS and they have a Windows client that updates an FQDN for the device, so you could create an FQDN for your dad, uncle and dance partner.  Then, you can create a DNS Host in the UTM for each of them and use the NoNAT approach with a Network Group containing those objects.  If you have a laptop you use from other places, just make an FQDN for it and add the DNS Host to the Network Group.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, our Dorf is full of Bauern, so the weather plays an important role and questions like "How much rain did we have since yesterday?" or "How was the weather last year at that time?" I can now easily answer. And I like the software weewx and the layout of the webpage, but that's another story. :D Ok, and my grandpa recorded the weather everyday by hand for 40-50 years and also drew graphs. Now I hope to get a weather archive, which is similarly big. ;)

    Actually I have a FQDN, I got my domain from Strato, so the people in my village have access to the weather station over a FQDN, which is easy to remember. Even with some beer. :D

    Ok, I think I understand in principle, what you mean, but how is it, if I want to share something from my DS with others? Do I need then an own FQDN for this?

     

    Flo

  • Hi Bob,

    Unfortunately the utm blocked another attack from that IP on the webserver of the weather station. Actually I feel a bit helpless, because I cannot just block this stupid a****** like I can do with my DS. Why is there no option that I can block everything from a certain IP address?

    But does rule number 2 mean, that if the attack is not recognized by the Intrusion prevention, the blackhole dnat and the firewall rule will ensure, that he will be blocked?

    Cheers

    Flo

  • It doesn't make sense that a blackhole DNAT doesn't stop everything, so your Traffic Selector must be wrong - many beginners make the mistake of using "External (Network)" for the Source instead of the "Internet IPv4" object.  "External (Network)" only includes the IPs in the subnet defined on the External interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok, I have to admit, that I didn't notice, that the attacks actually came from two different IPs and I had blocked only one (of course not the one, which attacked this morning). To my defense, they differ only on the last digit, X.Y.Z.29 and X.Y.Z.25. As I noticed that, I created a host, which is part of the Blocked IP group.

    To make sure, I set up everything right, I will tell you, what I've done:

    1. Creation of a network group called Block IPs

    2. Creation of a Host called Blackhole with IPv4 address 240.0.0.0

    3. Creation of a DNAT rule: Position 1, DNAT, source: Block IPs, service: Any, destination: WAN (Address), change destination in: Blackhole

    4. Creation of a Firewall rule: Position: top, source: Block IPs, service: Any, destination: Any, action: drop

    5. Creation of a host called Block IP1 with the IPv4 address I want to block. I did this also for the second host.

    6. Add these two hosts to network group Block IPs.

     

    Is it correct like that?

     

    Cheers

    Flo

  • That's it, Flo.  The firewall rule is redundant - just do an automatic rule in the DNAT so that there's no default block registered in the Firewall log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA