Hello, today I realized that someone is trying to brute force my RDP Server since a few days.
So I switched of the NAT rule for RDP.
Still the attack keeps going on, the UTM does its work and drops the packets. Since I am getting attacked from multiple IP Adresses, is there anyway to stop this?
Or do I just have to wait until the attacker is stopping it?
Thank you for your thoughts!
Sophos offers a service to assist you for those attacks.
#1 - NEVER use nat for a service such as rdp. Setup a vpn with 2fa for accessing such a dangerous internal service such as this. I personally feel anyone who has rdp available publicly should be whipped with a wet noodle. Just no.. no no no no no. Good on you for turning it off, now never ever turn that on again.
#2 - your firewall is doing its job, though you can create an IP group where you collect all these Ip addresses, put it top of your firewall rules as a drop rule, or a nat to blackhole (non-existant ip address). See #2 community.sophos.com/.../rulz
#3 - Also consider looking up the various IP addresses in geoip to see if consistently from another country you can consider blocking, though the 13.64 seem to be USA