Help, getting attacked

Hallo Bob and welcome to the UTM Community!

Instead of just dropping those 3389 packets, is the attacker dissuaded if you reject the packets?

Agreed with RaveNet about using remote access with 2fa instead of a DNAT.

Cheers - Bob

Sorry now i understand your suggestion, no i didnt try yet to REJECT the packets, I thought maybe it is not a good idea because the attacker knows that his target is alive?? I am not sure.

Sorry now i understand your suggestion, no i didnt try yet to REJECT the packets, I thought maybe it is not a good idea because the attacker knows that his target is alive?? I am not sure.

You're right, Bob, the accepted wisdom is to drop packets from unknown IPs, but to reject them if the IP is a known "friend."

My lab UTM began experiencing more and more port scans from more and more IPs last year, so I tried an experiment beginning in August when we had been scanned 38592 times by 36 different IPs.  I made an Intrusion Prevention portscan exception for a Network Group "Portscanners" which I populated with the subnets of those outside North America and Europe that had portscanned me.  I then made a firewall rule 'Portscanners -> Any -> External (Address) : Reject'.

In December, I saw 115601 rejects of 225 IPs.  Halfway through April, we're down to 4061 rejects thus far and portscans from only 10 IPs, most of which are legitimate testers.

It appears that giving the attackers a Brüskierung was more effective than dropping their attacks.  I'd be interested in hearing others' comments about my experiment.

Cheers - Bob

Your solution sounds very intersting to me, for now, I will keep monitoring the status of the attacks with the "country blocking" feauture on. After some days, I will turn country blocking off and see if i still get a lot of requests which will be getting droped. If so, I will try to implement your "Lab experiment". Sounds very clever.

Have a great one!

BTW just read your Lebenslauf and I am amazed and had to laugh. You are living a genius life. My dream is moving to the states, but it seems impossible to do it at the moment. Thanks for sharing your wisdom with us!

Herzlichen Dank, Bob.  In fact my father's mother was born in the US of German immigrants and didn't learn English until she started 1st grade.  When my father was born in her late teens, German was still her primary language, so my father learned a lot of expressions from her growing up that he later used with his children.  I think her family spoke Plattdietsch because of the way he recited Die Loreley that he learned from his mother.  Before I left Germany, people know I wasn't from their Land, but they couldn't tell where I was from.  I learned adventuring from my father.  At 18, after high school in Nebraska, he hopped freight trains to get out to California - he was a hobo!

Anyway, yes, I've been lucky and have tried to pay back the world for that luck and the opportunities given to me.

This pandemic has been tough on a lot of people.  We're lucky to be able to complain about not being allowed to move around, visit family, hug friends, etc.  We're hoping to visit friends in Paris in September this year or next, so maybe that opportunity in the USA isn't too far in the future for you.  Your English is tadelos - I can't believe you haven't already lived in the UK or US already.

Cheers - Bob
PS My fencing coach in Berlin was a pentathelete on the Austrian national team.  When he and his wife had their church wedding in a small town near Wien, several of us drove down to celebrate with them.  The following winter, I remember staying in a cabin and snow skiing with them and other friends on Hohenschneeberg.

 "At 18, after high school in Nebraska, he hopped freight trains to get out to California - he was a hobo!  " - HAHAHA WTF how cool is that? WUNDERBAR!

I absolutely agree with you, we are all living such a high living standard.

I hope you are still that sporty! Never went fencing but heard that it is a lot of fun.

Have a great saturday!

...to give our posts at least a touch of Sophos related contend:
Still attack on :3389 but with country blocking on it looks still the same like the last days: