This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help, getting attacked

Hello, today I realized that someone is trying to brute force my RDP Server since a few days.

So I switched of the NAT rule for RDP.

Still the attack keeps going on, the UTM does its work and drops the packets. Since I am getting attacked from multiple IP Adresses, is there anyway to stop this?

Or do I just have to wait until the attacker is stopping it?

Thank you for your thoughts!



This thread was automatically locked due to age.
  • #1 - NEVER use nat for a service such as rdp.  Setup a vpn with 2fa for accessing such a dangerous internal service such as this.  I personally feel anyone who has rdp available publicly should be whipped with a wet noodle. Just no.. no no no no no. Good on you for turning it off, now never ever turn that on again.

    #2 - your firewall is doing its job, though you can create an IP group where you collect all these Ip addresses, put it top of your firewall rules as a drop rule, or a nat to blackhole (non-existant ip address).  See #2 community.sophos.com/.../rulz

    #3 - Also consider looking up the various IP addresses in geoip to see if consistently from another country you can consider blocking, though the 13.64 seem to be USA

  • Sophos offers a service to assist you for those attacks.

    https://www.sophos.com/en-us/products/managed-threat-response/rapid-response.aspx

    __________________________________________________________________________________________________________________

  • Thank you for the tipp! After a call to the rapid response team, they competent and nicely told me the same like RaveNet, Firewall is doing its job, i shall watch my internal Logs from my servers for auth. attempts (since i turned off rdp NAT, ther are non anymore) and can do nothing.

    Since a lot of these attacks are autmatical it is quite common that your firewall/IP adress is trying to be attacked and the Firewall makes its job.

    Good to know that there is a rapid respones team if there would be a real security break, issue and at least at my phone call sophos team sounds like doing a good job.

  • Hallo Bob and welcome to the UTM Community!

    Instead of just dropping those 3389 packets, is the attacker dissuaded if you reject the packets?

    Agreed with RaveNet about using remote access with 2fa instead of a DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Balfson, not really, the attack is going on, I turned on Country blocking, this looks for me like it is releasing a lot of workload from the firewall since it has not to drop 20-30 request per second:





    I want to wait some days until i turn country blocking off to check if i still get a lot of request for :3389

    Would you guys suggest that i create a NAT Blackhole and turn country blocking off?

    My Firewall log from the last days to compare (country blocking on):



    Thank you for your interest!

  • Sorry now i understand your suggestion, no i didnt try yet to REJECT the packets, I thought maybe it is not a good idea because the attacker knows that his target is alive?? I am not sure.

  • You're right, Bob, the accepted wisdom is to drop packets from unknown IPs, but to reject them if the IP is a known "friend."

    My lab UTM began experiencing more and more port scans from more and more IPs last year, so I tried an experiment beginning in August when we had been scanned 38592 times by 36 different IPs.  I made an Intrusion Prevention portscan exception for a Network Group "Portscanners" which I populated with the subnets of those outside North America and Europe that had portscanned me.  I then made a firewall rule 'Portscanners -> Any -> External (Address) : Reject'.

    In December, I saw 115601 rejects of 225 IPs.  Halfway through April, we're down to 4061 rejects thus far and portscans from only 10 IPs, most of which are legitimate testers.

    It appears that giving the attackers a Brüskierung was more effective than dropping their attacks.  I'd be interested in hearing others' comments about my experiment.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Your solution sounds very intersting to me, for now, I will keep monitoring the status of the attacks with the "country blocking" feauture on. After some days, I will turn country blocking off and see if i still get a lot of requests which will be getting droped. If so, I will try to implement your "Lab experiment". Sounds very clever.

    Have a great one!

  • BTW just read your Lebenslauf and I am amazed and had to laugh. You are living a genius life. My dream is moving to the states, but it seems impossible to do it at the moment. Thanks for sharing your wisdom with us!

  • Herzlichen Dank, Bob.  In fact my father's mother was born in the US of German immigrants and didn't learn English until she started 1st grade.  When my father was born in her late teens, German was still her primary language, so my father learned a lot of expressions from her growing up that he later used with his children.  I think her family spoke Plattdietsch because of the way he recited Die Loreley that he learned from his mother.  Before I left Germany, people know I wasn't from their Land, but they couldn't tell where I was from.  I learned adventuring from my father.  At 18, after high school in Nebraska, he hopped freight trains to get out to California - he was a hobo!

    Anyway, yes, I've been lucky and have tried to pay back the world for that luck and the opportunities given to me.

    This pandemic has been tough on a lot of people.  We're lucky to be able to complain about not being allowed to move around, visit family, hug friends, etc.  We're hoping to visit friends in Paris in September this year or next, so maybe that opportunity in the USA isn't too far in the future for you.  Your English is tadelos - I can't believe you haven't already lived in the UK or US already.

    Cheers - Bob
    PS My fencing coach in Berlin was a pentathelete on the Austrian national team.  When he and his wife had their church wedding in a small town near Wien, several of us drove down to celebrate with them.  The following winter, I remember staying in a cabin and snow skiing with them and other friends on Hohenschneeberg.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA