Help, getting attacked

Hello, today I realized that someone is trying to brute force my RDP Server since a few days.

So I switched of the NAT rule for RDP.

Still the attack keeps going on, the UTM does its work and drops the packets. Since I am getting attacked from multiple IP Adresses, is there anyway to stop this?

Or do I just have to wait until the attacker is stopping it?

Thank you for your thoughts!

Parents
  • #1 - NEVER use nat for a service such as rdp.  Setup a vpn with 2fa for accessing such a dangerous internal service such as this.  I personally feel anyone who has rdp available publicly should be whipped with a wet noodle. Just no.. no no no no no. Good on you for turning it off, now never ever turn that on again.

    #2 - your firewall is doing its job, though you can create an IP group where you collect all these Ip addresses, put it top of your firewall rules as a drop rule, or a nat to blackhole (non-existant ip address).  See #2 community.sophos.com/.../rulz

    #3 - Also consider looking up the various IP addresses in geoip to see if consistently from another country you can consider blocking, though the 13.64 seem to be USA

Reply
  • #1 - NEVER use nat for a service such as rdp.  Setup a vpn with 2fa for accessing such a dangerous internal service such as this.  I personally feel anyone who has rdp available publicly should be whipped with a wet noodle. Just no.. no no no no no. Good on you for turning it off, now never ever turn that on again.

    #2 - your firewall is doing its job, though you can create an IP group where you collect all these Ip addresses, put it top of your firewall rules as a drop rule, or a nat to blackhole (non-existant ip address).  See #2 community.sophos.com/.../rulz

    #3 - Also consider looking up the various IP addresses in geoip to see if consistently from another country you can consider blocking, though the 13.64 seem to be USA

Children
No Data