This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Latest KBs] Sophos UTM: How to avoid RDP brute force attacks

Hi all,

This article provides details on how to avoid RDP brute force attacks with Sophos UTM. 
Please see below for details:

Sophos UTM: How to avoid RDP brute force attacks

Regards,



This thread was automatically locked due to age.
  • Other options:

    • You may want to evaluate "ts_block" by Evan Anderson, available on GitHub.   It is a relatively small amount of scripting code, so fully readable and tailorable.  It is installed on the  Remote Desktop Server.  It uses event log subscriptions on successful and failed logins to block IP addresses.   It blocks any attempt on blacklisted usernames (e.g. administrator) and blocks the IP when any other username experiences a threshold of login failures.   Block interval is configurable.   On newer servers, the old login method needs to be enabled, because the new login method does not include the source IP address in the event log entry (why, Microsoft?).  This approach does not satisfy PCI DSS requirements for two-factor authentication.

    • Remote Desktop Gateway is supported with WAF, which allows you to configure OTP for two-factor authentication, which will provide PCI DSS compliance.
  • Excellent feedback, Doug!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Great work, Barb!

    You might suggest to the author* to include the HTML5 VPN info along with SSL VPN and Doug's comment about 2F Auth and PCI DSS.

    Cheers - Bob
    * It's disappointing that Sophos doesn't allow mention of the author's name.  I know that most work really is a combination of people, but prefer to give credit where credit is due.  Also, it would be nice if the were a Changelog at the end of each KB article (see my Rulz post) so that folks could quickly see what had changed since they last consulted the article.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi all,

    Thank you very much for the feedback. We have passed it along to the appropriate channels.

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.