Help, getting attacked

Hello, today I realized that someone is trying to brute force my RDP Server since a few days.

So I switched of the NAT rule for RDP.

Still the attack keeps going on, the UTM does its work and drops the packets. Since I am getting attacked from multiple IP Adresses, is there anyway to stop this?

Or do I just have to wait until the attacker is stopping it?

Thank you for your thoughts!

Parents
  • Hallo Bob and welcome to the UTM Community!

    Instead of just dropping those 3389 packets, is the attacker dissuaded if you reject the packets?

    Agreed with RaveNet about using remote access with 2fa instead of a DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Balfson, not really, the attack is going on, I turned on Country blocking, this looks for me like it is releasing a lot of workload from the firewall since it has not to drop 20-30 request per second:





    I want to wait some days until i turn country blocking off to check if i still get a lot of request for :3389

    Would you guys suggest that i create a NAT Blackhole and turn country blocking off?

    My Firewall log from the last days to compare (country blocking on):



    Thank you for your interest!

Reply
  • Hello Balfson, not really, the attack is going on, I turned on Country blocking, this looks for me like it is releasing a lot of workload from the firewall since it has not to drop 20-30 request per second:





    I want to wait some days until i turn country blocking off to check if i still get a lot of request for :3389

    Would you guys suggest that i create a NAT Blackhole and turn country blocking off?

    My Firewall log from the last days to compare (country blocking on):



    Thank you for your interest!

Children
No Data