This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention alert: MS Windows RDP over non-standard port attempt

Hi guys,

I got three mails from my UTM with this content:

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: OS-WINDOWS Microsoft Windows Terminal server RDP over non-standard port attempt
Details........: www.snort.org/search?query=49040
Time...........: 2019-09-13 13:30:36
Packet dropped.: yes
Priority.......: high
Classification.: Attempted User Privilege Gain
IP protocol....: 6 (TCP)

Source IP address: 45.136.108.25
Source port: 836
Destination IP address: Internal_address_of_my_server
Destination port: 9901

The first attack from the same source IP (iptracker.org says, it's a German IP, but nothing else) was against port 80 on another server facing the internet (but not on port 80). The second attack was against port 9901 on a second server (see above) and the third one was on destination port 5060 (SIP Port) on one of my Wifi routers, which is also responsible for our landline phone. I looked up on the link, which is given in the mail and found this:

An attacker can get access to several devices using a compromised Windows computer that is located behind a Firewall that allows RDP access (configured previously by the Firewall administrator) to that computer. The attacker can force the victim computer to forward RDP requests to other internal computers or servers in an attempt to move laterally inside the victim network.

Now I'm asking if there is some sort of vulnerability in my firewall and if the attacker is able to specifically attack my servers facing the internet, why and how he got that information.

To be more clear, I'm asking if this only a notification, that the firewall blocked this attack or if I have a vulnerability considering this type of attack.

BTW, the attacked servers are non-Windows machines, I have no Windows RDP on any of my Windows machines. And of course not for remote access.

Since the attacks came from one single IP, I followed this "tutorial" to set up DNAT to a blackhole and a firewall rule to block everything from specific IPs:
community.sophos.com/.../utm-9-block-specific-ip

Port 3389 is of course not open in the firewall.

Is there anything else, I can do?

Thank you very much for your help!

Flo



This thread was automatically locked due to age.
Parents
  • You can simply change the Port and use RDP for those ports. 

    RDP is the protocol and not bind to any kind of Port. Default Port is 3389, but actually you can simply use other Ports. 

    So attacker might use a Port scanner and try to find open Ports, open Ports will be used for attempting RDP attacks. 

    As you know, RDP is highly vulnerable, so it would be attractive to attack, if open. Most of those forum post are older, so "pre RDP issue".

    https://nakedsecurity.sophos.com/2019/07/01/rdp-bluekeep-exploit-shows-why-you-really-really-need-to-patch/ 

    https://security.stackexchange.com/questions/90175/detecting-rdp-on-non-standard-ports

    It is simple math. If you check for other ports, you might find a open RDP port and can abuse it. 

    https://serverfault.com/questions/12005/what-port-should-i-open-to-allow-remote-desktop

    __________________________________________________________________________________________________________________

  • Thank you for your answer Lucar Toni.

    I don‘t want to use RDP, I have no ports open for RDP and I haven‘t set it up ony any of the machines in my network. I also restricted the access to my devices to my LAN and my VPN network, so if everything else failed, this should be my last layer of security, right?

    Is there anything else I can do additionally to blacklisting the source IP?

  • A weather station for your Dorf? - Tolle Idee, Flo !

    If you use one of the free dynamic DNS services, you can make the certificate for an FQDN instead of a numeric IP and your village can use that instead of a fixed IP.

    I use FreeDNS and they have a Windows client that updates an FQDN for the device, so you could create an FQDN for your dad, uncle and dance partner.  Then, you can create a DNS Host in the UTM for each of them and use the NoNAT approach with a Network Group containing those objects.  If you have a laptop you use from other places, just make an FQDN for it and add the DNS Host to the Network Group.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes, our Dorf is full of Bauern, so the weather plays an important role and questions like "How much rain did we have since yesterday?" or "How was the weather last year at that time?" I can now easily answer. And I like the software weewx and the layout of the webpage, but that's another story. :D Ok, and my grandpa recorded the weather everyday by hand for 40-50 years and also drew graphs. Now I hope to get a weather archive, which is similarly big. ;)

    Actually I have a FQDN, I got my domain from Strato, so the people in my village have access to the weather station over a FQDN, which is easy to remember. Even with some beer. :D

    Ok, I think I understand in principle, what you mean, but how is it, if I want to share something from my DS with others? Do I need then an own FQDN for this?

     

    Flo

  • Hi Bob,

    Unfortunately the utm blocked another attack from that IP on the webserver of the weather station. Actually I feel a bit helpless, because I cannot just block this stupid a****** like I can do with my DS. Why is there no option that I can block everything from a certain IP address?

    But does rule number 2 mean, that if the attack is not recognized by the Intrusion prevention, the blackhole dnat and the firewall rule will ensure, that he will be blocked?

    Cheers

    Flo

  • It doesn't make sense that a blackhole DNAT doesn't stop everything, so your Traffic Selector must be wrong - many beginners make the mistake of using "External (Network)" for the Source instead of the "Internet IPv4" object.  "External (Network)" only includes the IPs in the subnet defined on the External interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok, I have to admit, that I didn't notice, that the attacks actually came from two different IPs and I had blocked only one (of course not the one, which attacked this morning). To my defense, they differ only on the last digit, X.Y.Z.29 and X.Y.Z.25. As I noticed that, I created a host, which is part of the Blocked IP group.

    To make sure, I set up everything right, I will tell you, what I've done:

    1. Creation of a network group called Block IPs

    2. Creation of a Host called Blackhole with IPv4 address 240.0.0.0

    3. Creation of a DNAT rule: Position 1, DNAT, source: Block IPs, service: Any, destination: WAN (Address), change destination in: Blackhole

    4. Creation of a Firewall rule: Position: top, source: Block IPs, service: Any, destination: Any, action: drop

    5. Creation of a host called Block IP1 with the IPv4 address I want to block. I did this also for the second host.

    6. Add these two hosts to network group Block IPs.

     

    Is it correct like that?

     

    Cheers

    Flo

  • That's it, Flo.  The firewall rule is redundant - just do an automatic rule in the DNAT so that there's no default block registered in the Firewall log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok, thank you. 

    Just for my understanding, my "layers" of security are then:
    1. Country-Blocking

    2. IPS

    3. DNAT

    4. Firewall rules (UTM)

    5. Firewall rules and further hardenings on the server (if applicable)

     

    Is that correct? And is it sufficient for this small webserver?



    BTW, I decided to set up the UTM as an additional hardening for the weather station. I came from setting up a DMZ, over Edgerouter X/Mikrotik Hex Router to pfSense/IPFire and of course the UTM. 


    Thank you for your help Bob!

    Flo

  • I think that for Anti-DoS/Flooding and Anti-Portscan, IPS comes before DNATs, but that Snort Attack Patterns comes after.  It sounds like you're way ahead of what even some businesses do, Flo!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok.
    That's good to hear, hopefully I didn't make any mistake and make myself vulnerable. But a Golismero scan under Kali Linux (yes I did some pentesting with kali before i released the weather station to the public :D) said, that it found no vulnerability, I think that sounds not too bad.

     

    One last question, what should I do with the webserver protection and the renewal of the certificate when I get a new public IP?

     

    Flo

  • Use a free dynamic DNS service and make the certificate for the FQDN instead of your current numeric IP.  The UTM automatically updates the IP to which the FQDN resolves.  PM me the URL of your weather station and I'll make a more-specific recommendation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Use a free dynamic DNS service and make the certificate for the FQDN instead of your current numeric IP.  The UTM automatically updates the IP to which the FQDN resolves.  PM me the URL of your weather station and I'll make a more-specific recommendation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children