Thread Info
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 6900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Latest KBs] Sophos UTM: How to avoid RDP brute force attacks

Barb@Sophos

Hi all,

This article provides details on how to avoid RDP brute force attacks with Sophos UTM. 
Please see below for details:

Sophos UTM: How to avoid RDP brute force attacks

Regards,



This thread was automatically locked due to age.
Parents

  • Other options:

    • You may want to evaluate "ts_block" by Evan Anderson, available on GitHub.   It is a relatively small amount of scripting code, so fully readable and tailorable.  It is installed on the  Remote Desktop Server.  It uses event log subscriptions on successful and failed logins to block IP addresses.   It blocks any attempt on blacklisted usernames (e.g. administrator) and blocks the IP when any other username experiences a threshold of login failures.   Block interval is configurable.   On newer servers, the old login method needs to be enabled, because the new login method does not include the source IP address in the event log entry (why, Microsoft?).  This approach does not satisfy PCI DSS requirements for two-factor authentication.

    • Remote Desktop Gateway is supported with WAF, which allows you to configure OTP for two-factor authentication, which will provide PCI DSS compliance.
Reply

  • Other options:

    • You may want to evaluate "ts_block" by Evan Anderson, available on GitHub.   It is a relatively small amount of scripting code, so fully readable and tailorable.  It is installed on the  Remote Desktop Server.  It uses event log subscriptions on successful and failed logins to block IP addresses.   It blocks any attempt on blacklisted usernames (e.g. administrator) and blocks the IP when any other username experiences a threshold of login failures.   Block interval is configurable.   On newer servers, the old login method needs to be enabled, because the new login method does not include the source IP address in the event log entry (why, Microsoft?).  This approach does not satisfy PCI DSS requirements for two-factor authentication.

    • Remote Desktop Gateway is supported with WAF, which allows you to configure OTP for two-factor authentication, which will provide PCI DSS compliance.
Children
Unfiltered HTML