[Latest KBs] Sophos UTM: How to avoid RDP brute force attacks

Other options:

• You may want to evaluate "ts_block" by Evan Anderson, available on GitHub.   It is a relatively small amount of scripting code, so fully readable and tailorable.  It is installed on the  Remote Desktop Server.  It uses event log subscriptions on successful and failed logins to block IP addresses.   It blocks any attempt on blacklisted usernames (e.g. administrator) and blocks the IP when any other username experiences a threshold of login failures.   Block interval is configurable.   On newer servers, the old login method needs to be enabled, because the new login method does not include the source IP address in the event log entry (why, Microsoft?).  This approach does not satisfy PCI DSS requirements for two-factor authentication.
  
  
• Remote Desktop Gateway is supported with WAF, which allows you to configure OTP for two-factor authentication, which will provide PCI DSS compliance.

Excellent feedback, Doug!

Cheers - Bob

Great work, Barb!

You might suggest to the author* to include the HTML5 VPN info along with SSL VPN and Doug's comment about 2F Auth and PCI DSS.

Cheers - Bob
* It's disappointing that Sophos doesn't allow mention of the author's name.  I know that most work really is a combination of people, but prefer to give credit where credit is due.  Also, it would be nice if the were a Changelog at the end of each KB article (see my Rulz post) so that folks could quickly see what had changed since they last consulted the article.

Hi all,

Thank you very much for the feedback. We have passed it along to the appropriate channels.

Regards,